universally composable relaxed password authenticated key ... · protocols for password...

62
Universally Composable Relaxed Password Authenticated Key Exchange Michel Abdalla 1,2 , Manuel Barbosa 3 , Tatiana Bradley 4 , Stanis law Jarecki 4 , Jonathan Katz 5 , Jiayu Xu 5,6 1 DIENS, ´ Ecole normale sup´ erieure, CNRS, PSL University, Paris, France [email protected] 2 INRIA, Paris, France 3 FCUP and INESC TEC, Porto, Portugal [email protected] 4 University of California, Irvine, USA [email protected], [email protected] 5 Dept. of Computer Science, George Mason University, USA [email protected] 6 Dept. of Computer Science, University of Maryland, USA [email protected] Abstract. Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree on a cryptographically strong key. We revisit the notion of PAKE in the framework of universal composability, and propose a relaxation of the PAKE functionality of Canetti et al. that we call lazy-extraction PAKE (lePAKE). Roughly, our relaxation allows the ideal-world adversary to postpone its password guess even until after a session is complete. We argue that this relaxed notion still provides meaningful security in the password-only setting. As our main result, we show that several PAKE protocols that were previously only proven secure with respect to a “game-based” definition can in fact be shown to realize the lePAKE functionality in the random-oracle model. These include SPEKE, SPAKE2, and TBPEKE, the most efficient PAKE schemes currently known. 1 Introduction ........................................................................... 2 1.1 Technical Overview ................................................................ 3 1.2 Paper Overview ................................................................... 5 2 Relaxations of UC PAKE ............................................................... 5 3 Security of SPAKE2 .................................................................... 8 3.1 Extensions to TBPEKE, SPEKE, and their variants ................................... 14 4 Adding Explicit Authentication .......................................................... 14 5 PAKE Relaxations and PFS ............................................................. 16 5.1 Defining PFS ..................................................................... 16 5.2 Relaxed PAKE Implies PFS ........................................................ 18 5.3 Lazy-Extraction PAKE Implies Weak FS ............................................. 20 5.4 Practical implications .............................................................. 20 Acknowledgments ......................................................................... 20 A Proof of Theorem 2 .................................................................... 23 B Security of TBPEKE ................................................................... 26 C Supplementary Figures for SPAKE2 Proof ................................................ 30 Supplementary Material: Game-based Proofs for SPAKE2 ...................................... 35

Upload: others

Post on 22-Aug-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Universally Composable RelaxedPassword Authenticated Key Exchange

Michel Abdalla1,2, Manuel Barbosa3, Tatiana Bradley4,Stanis law Jarecki4, Jonathan Katz5, Jiayu Xu5,6

1 DIENS, Ecole normale superieure, CNRS, PSL University, Paris, [email protected]

2 INRIA, Paris, France3 FCUP and INESC TEC, Porto, Portugal

[email protected] University of California, Irvine, USA

[email protected], [email protected] Dept. of Computer Science, George Mason University, USA

[email protected] Dept. of Computer Science, University of Maryland, USA

[email protected]

Abstract. Protocols for password authenticated key exchange (PAKE) allow two parties who shareonly a weak password to agree on a cryptographically strong key. We revisit the notion of PAKE in theframework of universal composability, and propose a relaxation of the PAKE functionality of Canettiet al. that we call lazy-extraction PAKE (lePAKE). Roughly, our relaxation allows the ideal-worldadversary to postpone its password guess even until after a session is complete. We argue that thisrelaxed notion still provides meaningful security in the password-only setting.

As our main result, we show that several PAKE protocols that were previously only proven securewith respect to a “game-based” definition can in fact be shown to realize the lePAKE functionality inthe random-oracle model. These include SPEKE, SPAKE2, and TBPEKE, the most efficient PAKEschemes currently known.

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Paper Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Relaxations of UC PAKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Security of SPAKE2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 Extensions to TBPEKE, SPEKE, and their variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Adding Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5 PAKE Relaxations and PFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.1 Defining PFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.2 Relaxed PAKE Implies PFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.3 Lazy-Extraction PAKE Implies Weak FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.4 Practical implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

A Proof of Theorem 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

B Security of TBPEKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

C Supplementary Figures for SPAKE2 Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Supplementary Material: Game-based Proofs for SPAKE2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Page 2: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

1 Introduction

Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak passwordto agree on a cryptographically strong key by communicating over an insecure network. PAKE protocolshave been studied extensively in the cryptographic literature [6,5,7,13,23,10,11], and are compelling given thewidespread use of passwords for authentication. Even though the current practice is to implement password-based authentication by using TLS to set up a secure channel over which the password is sent, there aremany arguments in favor of using PAKE protocols in conjunction with TLS [20]. Several PAKE protocolsare currently under active consideration for standardization by the IETF [26].

Defining security for PAKE protocols is made challenging by the fact that a password shared by theparties may have low entropy, and so can be guessed by an adversary with noticeable probability. This mustsomehow be accounted for in any security definition. Roughly speaking, the security guaranteed by a PAKEprotocol is that an attacker who initiates Q online attacks—i.e., actively interferes in Q sessions of theprotocol—can make at most Q password guesses (i.e., at most one per session in which it interferes) andcan succeed in impersonating a party only if one of those guesses was correct. In particular, this means thatoffline attacks, in which an adversary merely eavesdrops on executions of the protocol, should not help theadversary in any way.

Two paradigms of PAKE security. In the cryptographic literature there are two leading paradigms forrigorously defining the above intuition. The first is the so-called “game-based” definition introduced by Bellareet al. [5]. In this definition, a password is chosen from a distribution with min-entropy κ, and the securityexperiment considers an interaction of an adversary with multiple instances of the PAKE protocol usingthat password. A PAKE protocol is considered secure if no probabilistic polynomial-time (PPT) attackercan distinguish a real session key from a random session key with advantage better than Q · 2−κ plus anegligible quantity.

A second approach uses a “simulation-based” definition [7,10]. The most popular choice here is to workin the framework of universal composability (UC) [9], and this is what we mean from now on when we referto a simulation-based definition. This approach works by first defining an appropriate ideal functionality forPAKE; a PAKE protocol is then considered secure if it realizes that functionality. Canetti et al. [10] pur-sued this approach, and defined a PAKE functionality that explicitly allows an adversary to make passwordguesses; a random session key is generated unless the adversary’s password guess is correct. As argued byCanetti et al. [10], this approach has a number of advantages. A definition in the UC framework is bettersuited for handling general correlations between passwords, e.g., when a client uses unequal but relatedpasswords with different servers, or when two honest parties in a session use different but closely relatedpasswords due to mistyping. A UC definition also ensures security under arbitrary protocol composition,which is useful for arguing security of protocols that use PAKE as a subroutine, e.g., for converting sym-metric PAKE to asymmetric PAKE [12,18] or strong asymmetric PAKE [20]. This is especially importantin the context of PAKE standardization, because strong asymmetric PAKE protocols can strengthen thecurrent practice of password-over-TLS authentication while achieving optimal security in the face of servercompromise.

Is there an inherent price for simulation-based security? Simulation-based security for PAKE isa desirable target. Unfortunately, the current state-of-the-art [10,25,22,8] suggests that this notion is moredifficult to satisfy than the game-based definition. In particular, the most efficient UC PAKE protocol [8] isroughly a factor of two less efficient than the most efficient game-based PAKEs such as SPEKE [19,28,17],SPAKE2 [4], or TBPEKE [31].1

Perhaps surprisingly, we show here that this “gap” can be overcome; in particular, we show that theSPEKE, SPAKE2, and TBPEKE protocols—which were previously only known to be secure with respect tothe game-based notion of security—can be shown to be universally composable (in the random-oracle model).The caveat is that we prove universal composability with respect to a (slightly) relaxed version of the PAKE

1 Variants of EKE [6] shown to be universally composable [1,8] may appear to be exceptions, but EKE requires anideal cipher defined over a cryptographic group, and it is not clear how that can be realized efficiently.

2

Page 3: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

functionality originally considered by Canetti et al. At a high level, the main distinction is that the UCPAKE functionality of Canetti et al. [10] requires an attacker conducting an online attack against a sessionto make its password guess before that session is completed, whereas the relaxed functionality we consider—which we call lazy-extraction PAKE (lePAKE)—allows the attacker to delay its password guess even untilafter the session completes. (However, the attacker is still allowed to make only a single password guess perone actively attacked session.) On a technical level, this relaxed functionality is easier to realize because itallows the simulator to defer extraction of an attacker’s password guess until a later point in the attacker’sexecution (see further discussion in the technical overview below). Nevertheless, the lazy-extraction PAKEfunctionality continues to capture the core properties expected from a PAKE protocol. In particular, as asanity check on the proposed notion, we show that lePAKE plus key confirmation satisfies the game-basednotion of PAKE with perfect forward secrecy (PFS) [5,2,3].

Implications for PAKE standardization. Recently, the Crypto Forum Research Group (CFRG), whichis an IRTF (Internet Research Task Force) research group focused on the discussion and review of uses ofcryptographic mechanisms, initiated a PAKE selection process with the goal of providing recommendationsfor password-based authenticated key establishment for IETF. Originally, 4 candidates were under consider-ation by the CRFG in the symmetric PAKE category, but currently only SPAKE2 and CPace remain underconsideration. Our results contribute to this selection process by validating SPAKE2 as well as CPace whenthe latter includes additional elements such as the protocol transcript in the key derivation hash.

1.1 Technical Overview

There is a fundamental technical justification for an efficiency gap between known game-based-secure PAKE’sand UC PAKE’s. The reason is that the UC PAKE functionality, as defined by [10] and used in all subsequentworks, requires the adversarial password guesses to be online (and straight-line) extractable from adversary’smessages to PAKE protocol instances run by honest parties. Recall that for a PAKE to be UC secure theremust exist an efficient simulator which simulates PAKE protocol instances given access to the ideal PAKEfunctionality, which in particular requires the simulator to specify a unique explicit password guess for eachPAKE instance which the real-world adversary actively attacks. (The ideal PAKE functionality then allowsthe simulator, and hence the real-world adversary, to control the session key output by this instance if theprovided password guess matched the password used by that PAKE instance, and otherwise the session key israndom and thus secure.) The fact that the simulator must specify this explicit password before the attackedPAKE instance terminates, requires the simulator to online extract the password guess committed in adver-sary’s messages. Moreover, this extraction must be performed straight-line, because universal composibilityprohibits rewinding the adversary.

Unfortunately, online extraction cannot be done for many efficient game-based PAKE’s listed above,because in these protocols each party sends a single protocol message which forms a perfectly hiding commit-ment to the password. Specifically, if g generates group of prime order p then in SPAKE2 each party sendsa message of the form X = gz · (Pi)pw where z ←R Zp , P1, P2 are random group element in the CRS, andi= 1 or 2 depending on the party’s role. In TBPEKE this message has the form X = (P1 · (P2)H(pw))z, andin SPEKE it is X = H(pw)z where H is a hash onto the group. These commitments are binding under thediscrete logarithm hardness assumption (the first two are variants of Pedersen commitment [30], the thirdone requires ROM), and they equivocable, i.e. the simulator can “cheat” on messages sent on behalf of thehonest parties, but they are perfectly hiding and thus not extractable. These commitments can be replacedwith extractable ones, but it is not clear how to do so without increasing protocol costs (or resorting to idealciphers over a group).

PAKE with post-execution input extraction. However, in all the above schemes the final sessionkey is computed by hashing the protocol transcript and the Diffie-Hellman key established by this PAKEinteraction, e.g. Z = gz1·z2 in SPAKE2 or Z = (H(pw))z1·z2 in SPEKE. Since this final hash is modeled asa Random Oracle, an adversary who learns any information on the session key must query this RO hashon the proper input. If the information in this hash query suffices for the simulator to identify the unique

3

Page 4: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

password to which this query corresponds, then a protocol message together with the final hash inputs doform an extractable commitment to the unique password guess the adversary makes on the attacked session.

However, the hash used in the final session key derivation is a local computation each party does in a “post-processing” stage which can be executed after the counterpart terminates the protocol. Therefore a simulatorwhich extracts a password guess from adversary’s protocol message(s) and this local hash computationmight extract it after the attacked session terminates. By the rules of the PAKE functionality of Canettiet al. [10], such extraction would happen too late, because the PAKE functionality allows the simulatorto test a password guess against a session but does so only when this session is still active (and has notbeen attacked previously e.g. on a different password guess). Indeed, it would seem counter-intuitive toallow the ideal-world adversary, i.e. the simulator, to provide the unique effective password guess after theattacked session completes. Nevertheless, this is exactly how we propose to relax the UC PAKE functionalityin order to accommodate protocols where input-extraction is possible, but succeeds only from adversary’spost-processing computation.

The relaxation we propose, the lazy-extraction PAKE, will require the ideal-world adversary to “interrupt”a fresh session while it is active in order to then perform the post-execution password test (we will call suchtests “late” password tests). This models the UC PAKE requirement that an adversary can use an honestPAKE session as a password-testing oracle only if it actively attacks that session, and in particular it stillholds that passively observed sessions do not provide any avenue for an attack. (To keep the new elementsof the lazy-extraction PAKE model clear we use separate terms, resp. RegisterTest and LateTestPwd, for thisnew type of online session interruption and for the late password test, see Section 2.) Moreover, even if theadversary chooses this “lazy-extraction attack” route, the functionality still allows for only a single passwordtest on an actively attacked session. This requirement effectively commits a (computationally bounded)real-world adversary to a unique password guess on each actively attacked session, because an adversarywho performs the local computation related to more than one password test would not be simulatable inthe model where the ideal-world adversary can submit at most one such test to the lazy-extraction PAKEfunctionality.

Explicit authentication and perfect forward security. To test the proposed lazy-extraction UC PAKEnotion we show two further things. First, we show that any lazy-extraction UC PAKE followed by a keyconfirmation round upgrades lazy-extraction UC PAKE to PAKE with explicit (mutual) authentication(PAKE-EA) [14], but it also realizes a stronger variant of lazy-extraction PAKE functionality which we callthe relaxed UC PAKE. In the relaxed PAKE model, the adversary can still make a (single) late passwordtest on an actively attacked session but such sessions are guaranteed to terminate with an abort. Hence, theattacker cannot use a late password test to compromise a session. Intuitively, if a lazy-extraction PAKE isfollowed by a key confirmation and the attacker delays its late password test until after the key confirmationis sent, then the key confirmation must fail and its counterpart will abort on such session. Hence, the “latepassword test” reveals if the tested passworded was correct but it cannot reveal a key of an active session.

Secondly, we show that any relaxed UC PAKE satisfies the game-based notion of PAKE with perfectforward secrecy (PFS) [5,2,3]. (A similar test was done by Canetti et al. with regard to the original UC PAKEnotion [10].) Intuitively, since the lazy-extraction attack avenue against a relaxed PAKE cannot be used tocompromise keys of any active session, it follows that all active sessions, i.e. all sessions which terminate witha session key as opposed to an abort, are as secure in the relaxed UC PAKE model as they are in the originalUC PAKE model of Canetti et al. In particular, they are secure against future password compromise.

Relation to prior work. Jarecki et al. [21] recently introduced the relaxed UC PAKE model in the contextof the asymmetric PAKE (aPAKE) functionality [12], and showed that this relaxation is necessary to provesecurity of the OPAQUE protocol proposed in [20]. As discussed above, the lazy-extraction PAKE modelgoes further than the relaxed PAKE model, and this further relaxation appears to be necessary in order tomodel protocols like SPEKE, SPAKE2, and TBPEKE as universally composable PAKEs. (See Section 2 forthe precise specifications of the lazy-extraction PAKE and the relaxed PAKE models.)

Hasse and Labrique [15] have recently argued that CPace [16] realizes a variant of the lazy-extraction UCPAKE functionality, but the variant of this notion they consider seems unsatisfactory, e.g. it appears notto imply security of passively observed sessions, and it appears to be not realizable as stated (see Section 2

4

Page 5: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

for discussion). They also argue that adding a key-confirmation step suffices to convert such protocol into astandard UC PAKE, while we show that the result is still only a relaxed UC PAKE.2

1.2 Paper Overview

In Section 2, we introduce the two relaxations of the UC PAKE functionality, namely the lazy-extractionUC PAKE and relaxed UC PAKE functionalities, respectively abbreviated as lePAKE and rPAKE, togetherwith the extension of the latter to explicit (mutual) authentication. In Section 3, we show that SPAKE2scheme of [4] is a secure lePAKE under the Gap CDH assumption. In Section 4, we show that any lePAKEprotocol followed by a key confirmation round is a secure rPAKE-EA, i.e. rPAKE with explicit authentication.In Section 5, we show that that every rPAKE-EA protocol satisfies the game-base notion of PAKE withperfect forward secrecy, and that every lePAKE protocol by itself already satisfies weak forward secrecy.In Appendix B, we include the proof that TBPEKE [31] is a secure lePAKE protocol under appropriateassumptions, and we explain that this proof extends to similar results regarding SPEKE [19,28,17]. Somedetails of the above proofs are deferred to Appendices A and C. Finally, we provide game-based proofs forSPAKE2 as supplementary material.

2 Relaxations of UC PAKE

In Fig. 1, we present the PAKE functionality as defined by Canetti et al. [10], and compare it with tworelaxations that we refer to as relaxed PAKE (rPAKE) and lazy-extraction PAKE (lePAKE). We explain ata high level the differences between these various formulations. In the original PAKE functionality FPAKE,after a party initiates a session (but before the party generates a key) the attacker may try to guess thepassword used in that session by making a single TestPwd query. If the attacker’s password guess is correct, thesession is marked compromised; if not, the session is marked interrupted. When a session key is later generatedfor that session, the attacker is given the ability to choose the key if the session is marked compromised, buta random key is chosen otherwise. Importantly, the attacker is only allowed to make a password guess for asession before the key is generated and the session terminates.

In both the relaxed PAKE functionality FrPAKE and the lazy-extraction PAKE functionality FlePAKE, theattacker is given the ability to make a password guess for a session even after a session key is generatedand that session has completed. Formally, this is allowed only if the attacker makes a RegisterTest querybefore the session key is generated; this indicates the attacker’s intention to (possibly) make a passwordguess later, and models active interference with a real-world protocol execution. (Of course, the attacker alsohas the option of making a password guess before a key is generated as in the original FPAKE.) Having madea RegisterTest query for a session, the attacker may then make a LateTestPwd query to that session after thesession key K is generated. FrPAKE and FlePAKE differ in what happens next:

– In FrPAKE, the attacker is only told whether or not its password guess is correct, but learns nothingabout K in either case.

– In FlePAKE, the attacker is given K if its password guess is correct, and given a random key otherwise.3

It is easy to see that both FrPAKE and FlePAKE are relaxations of FPAKE, in the sense that any protocolrealizing FPAKE also realizes FrPAKE and FlePAKE. Although, as defined, FlePAKE and FrPAKE are incomparable,the version of FlePAKE in which the attacker is additionally notified whether its password guess is correct (cf.Footnote 3) is a strict relaxation of FrPAKE.

Following the work of Groce and Katz [14], we also consider PAKE functionalities that incorporate explicit(mutual) authentication, which we refer to as PAKE-EA.4 Intuitively, in a PAKE-EA protocol a party should

2 In [15] this is explicitly claimed not for CPace itself but for its asymmetric (aPAKE) version called AuCPace.3 Note that here the attacker is not explicitly notified whether its password guess is correct. While it is arguably

more natural to notify the attacker, we obtain a slightly stronger functionality by omitting this notification.4 Although Canetti et al. [10] informally suggest a way of modeling explicit authentication in PAKE, the functionality

they propose seems unacceptably weak in the sense that it does not require a party to abort even when an attackersuccessfully interferes with its partner’s session.

5

Page 6: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Session initiation

On (NewSession, sid ,P,P ′, pw , role) from P, ignore this query if record 〈sid ,P, ·, ·, ·〉 already exists. Otherwiserecord 〈sid ,P,P ′, pw , role〉 marked fresh and send (NewSession, sid ,P,P ′, role) to A.

Active attack

– On (TestPwd, sid ,P, pw∗) from A, if ∃ a fresh record 〈sid ,P,P ′, pw , ·〉 then:• If pw∗ = pw then mark it compromised and return “correct guess”;• If pw∗ 6= pw then mark it interrupted and return “wrong guess”.

– On (RegisterTest, sid ,P) from A, if ∃ a fresh record 〈sid ,P,P ′, ·, ·〉 then

mark it interrupted and flag it tested.

– On (LateTestPwd, sid ,P, pw∗) from A, if ∃ a record 〈sid ,P,P ′, pw , ·,K〉marked completed with flag tested then remove this flag and do:

• If pw∗ = pw then return K “correct guess” to A;

• If pw∗ 6= pw then return K$ ←R {0, 1}κ “wrong guess” to A.

Key generation

On (NewKey, sid ,P,K∗) from A, if ∃ a record 〈sid ,P,P ′, pw , role〉 not marked completed then do:

– If the record is compromised, or either P or P ′ is corrupted, then set K := K∗.– If the record is fresh and ∃ a completed record 〈sid ,P ′,P, pw , role′,K′〉 with role′ 6= role that was fresh whenP ′ output (sid ,K′), then set K := K′.

– In all other cases pick K ←R {0, 1}κ.

Finally, append K to record 〈sid ,P,P ′, pw , role〉, mark it completed, and output (sid ,K) to P.

Fig. 1. UC PAKE variants: The original PAKE functionality FPAKE of Canetti et al. [10] is the version with allgray text omitted. The relaxed PAKE functionality FrPAKE includes the gray text but omits the boxed portions; thelazy-extraction PAKE functionality FlePAKE includes the gray text but omits the dashed portions.

6

Page 7: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Session initiation

On (NewSession, sid ,P,P ′, pw , role) from P, ignore this query if record 〈sid ,P, ·, ·, ·〉 already exists. Otherwiserecord 〈sid ,P,P ′, pw , role〉 marked fresh and send (NewSession, sid ,P,P ′, role) to A.

Active attack

– On (TestPwd, sid ,P, pw∗) from A, if ∃ a fresh record 〈sid ,P,P ′, pw , ·〉 then:• If pw∗ = pw then mark it compromised and return “correct guess”;• If pw∗ 6= pw then mark it interrupted and return “wrong guess”.

– On (RegisterTest, sid ,P) from A, if ∃ a fresh record 〈sid ,P,P ′, ·, ·〉then mark it interrupted and flag it tested.

– On (LateTestPwd, sid ,P, pw∗) from A, if ∃ a record 〈sid ,P,P ′, pw , ·,K〉marked completed with flag tested then remove this flag and do:

• If pw∗ = pw then return “correct guess” to A.

• If pw∗ 6= pw then return “wrong guess” to A.

Key generation and explicit authentication

– On (GetReady, sid ,P) from A, if ∃ a record 〈sid ,P,P ′, pw , role〉 marked

fresh then re-label it ready.

– On (NewKey, sid ,P,K∗) from A, if ∃ a record 〈sid ,P,P ′, pw , role〉 not marked completed then do:

• If the record is compromised, or P or P ′ is corrupted, or K∗ = ⊥ , then set K:=K∗.

• Else, if the record is fresh or ready, and ∃ a record 〈sid ,P ′,P, pw , role′〉marked ready s.t. role′ 6= role then pick K ←R {0, 1}κ.

• Else, if the record is ready and ∃ a completed record 〈sid ,P ′,P, pw , role′,K′〉 with role′ 6= role that was

fresh when P ′ output (sid ,K′), then set K := K′.

• In all other cases, set K := ⊥ .

Finally, append K to record 〈sid ,P,P ′, pw , role〉, mark it completed, and output (sid ,K) to P.

Fig. 2. The FrPAKE-EA functionality for relaxed PAKE-EA. The original PAKE-EA of Groce and Katz [14] correspondsto the version with gray text omitted. The boxed text highlights the differences from FrPAKE.

7

Page 8: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

abort if it did not establish a matching session key with its intended partner. As in the case of PAKE, theoriginal PAKE-EA functionality introduced by Groce and Katz required the attacker to make its passwordguess before the session key is generated, while we introduce a relaxed version of the PAKE-EA functionality,denoted FrPAKE-EA and shown in Fig. 2, that allows the attacker to delay its password guess until after thesession has completed.5 If the attacker’s guess is correct, it is notified of that fact; our relaxation thus parallelsthat of FrPAKE. Note that such late password guess can only be performed on aborted sessions, since theattacker must send a RegisterTest query before the session completes, which marks the session interrupted,and by the rule of explicit authentication, an interrupted session must result in aborting.

Besides the intuitive appeal of our relaxed definitions, we justify these relaxations by showing that it iseasy to realize FrPAKE-EA in the FlePAKE-hybrid world (Section 4), that any protocol realizing FrPAKE satisfiesperfect forward secrecy (Section 5), and that any protocol realizing FlePAKE satisfies weak forward secrecy(Section 5.3).

Note on the relaxed PAKE functionality used in [15]. A preliminary version of the lazy-extractionPAKE functionality, referred as “relaxed PAKE” therein, appeared in an early version of [21] and wasadopted by [15] as a model for the CPace protocol. This version is imprecise in several respects: First, itdoes not require the adversary to explicitly attack an online session via a RegisterTest query before issuing aLateTestPwd query on a completed session. This appears too weak, e.g. because it allows an adversary to issueLateTestPwd queries even on passively observed sessions. On the other hand, it restricts the adversary frommaking a LateTestPwd query upon completion of the matching counterpart’s session (with a matching sidbut not necessarily a matching password), which appears too strong, because a man-in-the-middle attackercan make P ′ complete with a random key or an abort, and this does not affect its capabilities regarding partyP. Our lazy-extraction PAKE functionality makes this notion more precise, and in Appendix B we show thatTBPEKE [31] and SPEKE [19] realize the lePAKE fuctionality under (Gap) CDH and SDH assumptions.Since CPace [15,16] is a close variant of SPEKE these results will therefore apply also to CPace if its keyderivation hash is modified to include additional elements such as the protocol transcript (see Section 3.1).

3 Security of SPAKE2

We consider SPAKE2 as a motivating example for our work. SPAKE2 was proposed by Abdalla andPointcheval [4] and shown secure in the game-based PAKE model [5] under the CDH assumption in theROM. SPAKE2 is, to the best of our knowledge, the most efficient PAKE protocol which does not assumeideal cipher over a group. Its costs are 2 fixed-base and 1 variable-base exponentiations per party, and it isround-minimal because it can be executed in a single simultaneous round of bi-directional communication.

We give independent proofs that SPAKE2 realizes lazy-extraction UC PAKE and that it meets the game-based PFS definition, which was not considered in [4]. The lazy-extraction UC PAKE result is tight withrespect to Gap CDH, but the game-based PFS result is not: we require a special assumption introducedin [4] for which a reduction to Gap CDH is known, but this is not tight. Still, since we do not know thatlazy-extraction UC PAKE security implies PFS security, this result is the only one we have for the PFSsecurity of (raw) SPAKE2.6 Below, we only include the proof that SPAKE2 realizes the lazy-extraction UCPAKE functionality. The direct proofs that SPAKE2 realizes the game-based PAKE (with tight reduction)and game-based PAKE with PFS (with security degradation) are included as supplementary material.

We recall the two-flow, simultaneous round SPAKE2 protocol of [4] in Fig. 3, with some notational choicesadjusted to the UC setting.

5 While relaxing the Groce-Katz functionality, we also make some minor changes to their original: (1) we make theparties symmetric, and do not require the server to generate a session key first, and (2) we allow the adversaryto force a party to abort by sending a (NewKey, sid ,P,⊥) message. (This second modification is required, and itsomission appears to be an oversight of Groce and Katz.)

6 Note that the combined results of Sections 4 and 5 show that SPAKE2 followed by a key confirmation round isPFS secure with tight security with respect to Gap CDH.

8

Page 9: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Public parameters: generator g and random elements M,N of group Gof prime order p; hash function H : X → {0, 1}κ

P on (NewSession, sid ,P,P ′, pw , client): P ′ on (NewSession, sid ,P ′,P, pw ′, server):

x←R Zp y ←R Zp

X ← gx ·Mpw Y ← gy ·Npw′

-X � Y

Y ← Y/Npw X ← X/Mpw′

K ← H(sid ,P,P ′, X, Y, pw , Y x) K′ ← H(sid ,P,P ′, X, Y, pw ′, Xy)output K output K′

Fig. 3. SPAKE2 protocol of [4]

Theorem 1. SPAKE2 realizes the Lazy-Extraction PAKE functionality FlePAKE in ROM under the Gap-CDHassumption.

CDH and Gap CDH assumptions. Recall that the Computational Diffie-Hellman (CDH) assumptionstates that, given generator g and two random elements X = ga, and Y = gb in a cyclic group of primeorder, it is hard to find Z = CDHg(X,Y ) = gab. In the gap version, the problem must remain hard even ifthe adversary has access to a Decisional Diffie-Hellman oracle.

Simulator for SPAKE2. The UC simulator SIM for SPAKE2, given in full in Fig. 4, acts as the idealadversary, with access to the ideal functionality FlePAKE (shortened to F in the subsequent discussion andproof). The goal is to emulate (except for negligible probability), the real-world interactions between theenvironment Z, any real adversary A, and the real SPAKE2 protocol.

Thus, SIM must simulate messages that appear to come from the real players, respond appropriately toadversarial messages, and answer random oracle queries consistently. SIM has access to the F interface, butnot the secret inputs (i.e, the passwords) of the honest players.

We briefly describe how SIM simulates client P’s interaction with Z/A; the server case is similar since theprotocol is symmetric. SIM first embeds trapdoors into the CRS, i.e., it picks m,n←R Zp and sets M = gm

and N = gn. To simulate the protocol message X, SIM picks z ←R Zp and sets X = gz. Since X is alsouniformly distributed in the real protocol, the environment cannot tell the difference. When A queries therandom oracle H(sid ,P,P ′, X, Y ′, pw,W ), SIM decides whether it corresponds to a valid password guess:SIM first computes the exponent x such that X = gx ·Mpw, using the CRS trapdoor m, and then checks ifW = (Y ′/Npw )x. If so, then SIM stores (Y ′, pw). If A later sends a protocol message Y ′ aimed at P, thenthis is an online attack: when A makes the RO query, SIM picks a random string K as the output, and storesK together with (Y ′, pw). Then, when A sends Y ′, SIM sends (TestPwd, sid,P, pw) to F , and if F replies“correct guess,” then SIM sets P’s key to K by sending (NewKey, sid ,P,K) to F ; if F replies “wrong guess,”then SIM sends (NewKey, sid ,P, 0κ) to F (and F will set P’s key to a random string). On the other hand, ifA makes the RO query after sending Y ′, then this is a postponed attack, so SIM sends (RegisterTest, sid,P)to F when A sends Y ′, and later sends (LateTestPwd, sid ,P, pw) to F when A makes the RO query; uponF replying a key K, SIM “programs” the RO output as K.

Record keeping. For each party identifier P and session identifier sid , the simulator SIM stores a stateπsidP containing the following values:

– The role role ∈ {client, server} of P in this session.– The private exponent exp used in the network messages, x for C and y for S. In the first few games,

this exponent has the same meaning as in the protocol, however, in the final simulator, it is the actualdiscrete log of the simulated network message.

– The transcript of the session includes variables (C,S, X, Y,X∗, Y ∗), where C,S are party identifiers forclient and server respectively, X,Y are simulated messages, and X∗, Y ∗ are adversarial messages. Note

9

Page 10: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

that SIM only directly stores messages X and Y ∗ for clients (copying Y from the server if it exists), andsymmetrically stores Y and X∗ for servers (copying X from the client if it exists). Unknown values areset to ⊥.

– The password pw of the party. This value is only set and used in intermediate games when the simulatorknows the parties’ passwords and needs to directly verify password guesses.

– A table guesses mapping values Z∗ to tuples (pw, k∗), representing potential password guesses, andcorresponding keys, made by the adversary using the random oracle H. If an adversarial network messageZ∗ is received, the simulator can then look up the corresponding password pw, which it sends to F totest; if the guess is correct, SIM instructs F to set the final key as k∗, and otherwise lets F pick a randomkey.

– A flag waiting set to T if no adversarial message Z∗ has been received for this party and sid , and F

otherwise. This flag ensures that the first adversarial message for each (P, sid) pair is processed, and allothers are ignored.

The simulator additionally stores a global value qs which is the maximum number of paired sessions, upperbounded by the total number of values Z∗ sent by A.

Let RealZ,A,SPAKE2 be the probability of the event that environment Z with adversary A outputs 1 inthe real world, and IdealZ,SIM,SPAKE2 be the corresponding probability in the ideal world. The goal is toshow that |RealZ,A,SPAKE2 − IdealZ,SIM,SPAKE2| is negligible.

We use the well-known sequence-of-games proof strategy to show that we may move from the real game tothe simulator in a manner indistinguishable to the environment, except for negligible probability. We beginwith Game 0, the real game, and move through a series of steps, each of which we show to be indistinguishablefrom the previous, to the final simulator. The full code of intermediate Games 1-4 is illustrated in Appendix C.Throughout the proof, Gi denotes the probability that Z outputs 1 while interacting with Game i.

Proof of Theorem 1.

Game 0. This is the real world, in which A interacts with real players, and may view, modify, and/or dropnetwork messages.

RealZ,A,SPAKE2 = Pr [G0].

Game 1. (Simulate real world with trapdoors) We now simulate the behavior of the real players and therandom oracle. The simulation is exactly as the real game, except for the inclusion of record keeping, andembedding of trapdoors in M and N , i.e, setting M = gm;N = gn for known m and n. The embedding oftrapdoors is not noticeable to the environment as M,N are still drawn from from the same distribution asbefore, thus:

Pr [G1] = Pr [G0].

Game 2. (Random key if adversary is passive) If the adversary passes a simulated Z message sent to(sid ,P) without modification, output a random key for P instead of the true random oracle output. Theenvironment notices this change only if A makes a hash query that would result in an inconsistency, namelyH(sid , C,S, X ′, Y ′, pw ,W = gxy), where X ′ = gxMpw , Y ′ = gyNpw are the simulated messages. We checkfor such queries, and abort if any occur.

We may reduce this event to Gap-CDH as follows: Consider an adversary B2 against Gap-CDH. Ongeneralized CDH challenge7 (A1 = ga1 , · · · , Aqs = gaqs , B1 = gb1 , · · · , Bqs = gbqs ), the reduction indexessessions (sid ,P,P ′), and embeds Xi = Ai ·Mpwi , Y = Bi · Npwi when generating the simulated messagesfor the ith session. The reduction can re-use the code of G2, except for the cases where it requires the secretexponents ai and bi: (1) to generate K ← H(sid , C,S, X, Y, pw , Y ai{or Xbi}) and (2) to check for the “badevent” of an inconsistency in the hash response. To handle case (1), the reduction stores an additional valueK for each session (sid , C,S) which is set randomly when either the reduction must handle case (1), or whenA queries H(sid , C,S, X ′, Y ′, pw ,W ) such that the password is correct and DDH(X ′, Y ′,W ) holds (checkedvia the DDH oracle): if either of these events happens again the same value of K is used. The check of case

7 The generalized CDH problem is tightly equivalent to the CDH problem by random-self reducibility.

10

Page 11: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

generate CRS

M ← gm;N ← gn for (m,n)←R Zpreturn M,N

on (NewSession, sid ,P,P ′, role) from Fif πsidP 6= ⊥: return ⊥

(X,Y )← (⊥,⊥)if role = client :

(C,S)← (P,P ′)z ←R Zp ; X ←Mz; Z ← X

if πsidP′ 6= ⊥ and πsid

P′ .role 6= client: Y ← πsidP′ .Y ; πsid

P′ .X ← Xelse if role = server :

(C,S)← (P ′,P)z ←R Zp ; Y ← Nz; Z ← Y

if πsidP′ 6= ⊥ and πsid

P′ .role 6= server: X ← πsidP′ .X; πsid

P′ .Y ← Y

πsidP ← (role, z, C,S, X, Y,⊥,⊥,⊥,⊥, T)

send Z from P to A

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, ·, C,S, X, Y, ·, ·, ·, guesses, ·)← πsid

PK ← 0κ

if role = client :

πsidP .Y ∗ ← Z∗

if Z∗ = Y : jump to end

else if role = server :

πsidP .X∗ ← Z∗

if Z∗ = X: jump to end

if πsidP .guesses[Z∗] = (pw , k∗):reply← (TestPwd, sid ,P, pw) to Fif reply = “correct”: K ← k∗

else: send (RegisterTest, sid ,P) to Fend: πsid

P .waiting = F

send (NewKey, sid ,P,K) to F

on H(sid , C,S, X ′, Y ′, pw ,W ) from A:

if TH[sid , C,S, X ′, Y ′, pw ,W ] = ⊥:K ←R {0, 1}κ; (x, y) ← (⊥,⊥)

if πsidC 6= ⊥: x← m · πsid

C .exp−m · pw

if πsidS 6= ⊥: y ← n · πsid

S .exp− n · pw

if πsidC .X = X ′ and πsid

S .Y = Y ′ and W = gxy: abort

else if πsidC .X = X ′ and W = (Y ′/Npw )x :

if Y ′ = πsidC .Y ∗: P ← C; jump to late test pw

else: πsidC .guesses[Y ′]← (pw ,K)

else if πsidS .Y = Y ′ and W = (X ′/Mpw )y:

if X ′ = πsidS .X∗: P ← S; jump to late test pw

else: πsidS .guesses[X ′]← (pw ,K)

jump to end

late test pw: reply← (LateTestPwd, sid ,P, pw) to FK ← reply; if no reply, abort

end: TH[sid , C,S, X ′, Y ′, pw ,W ]← Ksend TH[sid , C,S, X ′, Y ′, pw ,W ] to A

Fig. 4. UC Simulator for SPAKE2.

11

Page 12: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

(2) can be done via the DDH oracle, i.e., by querying DDH(Ai, Bi,W ): if the bad event occurs, B2 solves theCDH challenge with answer W . Thus:

|Pr [G2]− Pr [G1]| ≤ AdvGCDHB2

.

Game 3. (Random simulated messages) On (NewSession, sid ,P,P ′, role), if this is the first NewSession for(sid ,P), set Z ← gz for z ←R Zp , and send Z to A as a message from P to (P ′, sid). Note that we may nowcompute the original exponents via: x = m · πsid

C .exp−m · pw and y = n · πsidS .exp− n · pw . This change is

not observable to the environment, as it is merely a syntactic change in the calculation of the exponents:

Pr [G3] = Pr [G2].

Game 4. (Random keys if adversary does not correctly guess password) We now detect when an adversarialhash query corresponds to a password guess. We can detect this event by inspecting the X ′, Y ′, pw and Wvalues provided to the hash oracle. Let us assume the adversary is guessing the client’s password (the servercase is symmetric). To make a password guess against the client, the adversary must set X ′ = πsid

C .X, i.e.,use the simulated message sent by the client. The adversary can use any choice of Y ′, but to correspondwith a specific password guess, the following must hold: W = (Y ′/Npw )x (where x is the exponent such thatπsidC .X = gxMpw ). In other words, W must be the value that would be used by a real client if Y ′ were sent

as the server’s message. If such a password guess query is detected, we check if Y ′ was previously sent asan adversarial message on behalf of the server: if so, and if the password guess is correct, we program therandom oracle to match the previously sent key. If Y ′ was not previously sent, we note the values Y ′, pwqueried by the adversary and the random key K output by the RO. If Y ′ is later sent as the adversarialmessage, and the password is correct, we output the stored key K. If the password is incorrect, we output arandom key independent of the RO table. If at any point a second password guess (correct or incorrect) isdetected for the same sid and party, we abort the game.

This change is noticeable to the environment only in the abort case, i.e, the case where the adversarymakes two password guesses with a single (X ′, Y ′) transcript, i.e.:

H(sid ,P,P ′, X ′, Y ′, pw , Z) and H(sid ,P,P ′, X ′, Y ′, pw ′, Z ′),

such that pw 6= pw ′, and

CDH(gmx/Mpw , gny/Npw ) = Z and CDH(gmx/Mpw ′ , gny/Npw ′) = Z ′.

Call this event bad4. It can be split into two cases: 1) for one of the passwords pw∗ ∈ {pw , pw ′} it holdsthat X ′ = Mpw∗ or Y ′ = Npw∗ , i.e., there is a collision between the guessed password pw∗ and the secretexponent x or y or 2) there is no such collision. Case 2, which we denote bad1

4, can be reduced to Gap-CDH,as shown in Lemma 1. Case 1 can be reduced to Gap-DL as follows: Adversary B4.2 on Gap DL challengeA = ga, sets simulated messages as: Xi = A · g∆i,x and Yi = A · g∆i,y , picking a fresh random ∆i,x and ∆i,y

for each session (sid ,P,P ′). In the ith session (for every i), B4.2 uses the DDH oracle to check for bad4. Iftrue, B4.2 further checks if Y ′ = Npw∗ or X ′ = Mpw∗ for one of the passwords: in the former case this meansthat Y ′ = Npw = A · g∆i,y , so npw = a + ∆i,y, and B4.2 can output the DL solution is a = npw/∆i,y, andthe latter case is symmetric. We have that

|Pr [G4]− Pr [G3]| ≤ AdvGDLB4.1

+ AdvGCDHB4.2

.

Game 5. (Use FlePAKE interface) In the final game, we modify the challenger so that it uses the RegisterTest,TestPwdand LateTestPwd interfaces to check passwords, and the NewKey interface to set keys. This is an internalchange that is not noticeable to the environment, thus

Pr [G5] = Pr [G4].

In addition, this simulator perfectly mimics the ideal world except for the cases where it aborts, whichwe have already shown to happen with negligible probability, so:

IdealZ,SIM,SPAKE2 = Pr [G5].

12

Page 13: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Thus the distinguishing advantage of Z between the real world and the ideal world is:

|IdealZ,SIM,SPAKE2 −RealZ,A,SPAKE2| ≤ AdvGCDHB2

+ AdvGDLB4.1

+ AdvGCDHB4.2

,

which is negligible if Gap-CDH is hard.

Lemma 1. For every attacker A, there exists an attacker B4.1 (whose running time is linear in the runningtime of A) such that:

Pr[G4→ bad14] ≤ AdvGCDH

B4.1

Proof. Consider an attacker B4.1 against GCDH. It receives a challenge (M = gm, N = gn) and wants tofind CDH(M,N) = gmn. The attacker emulates G4, except for setting the CRS values as M,N from thechallenge instead of randomly. It uses the DDH oracle to carry out the three checks in the if/else if/else ifstructure of the hash response, and for detecting the bad event.

In particular, it detects the bad event bad14 when it sees two hash queries (sid , X ′, Y ′, pw , Z) and

(sid , X ′, Y ′, pw ′, Z ′) such that pw 6= pw ′, and both of the following hold, where either x or y is known(i.e, chosen by the attacker as the exponent for a simulated message):

CDH(gmx/Mpw , gny/Npw ) = Z (1)

CDH(gmx/Mpw ′ , gny/Npw ′) = Z ′ (2)

The attacker can then solve for the CDH response, gnm, as follows.First, write Z = gz;Z ′ = gz

′for unknown z, z′ ∈ Zp . Considering only the exponents in Eqs. (1) and (2),

we have that:

m(x− pw) · n(y − pw) = z (3)

m(x− pw ′) · n(y − pw ′) = z′ (4)

Assume that the attacker knows the exponent x (the other case is symmetric). Scaling Eqs. (3) and (4)by resp. (x− pw ′) and (x− pw), gives:

m(x− pw ′)(x− pw) · n(y − pw) = z · (x− pw ′) (5)

m(x− pw)(x− pw ′) · n(y − pw ′) = z′ · (x− pw) (6)

Subtracting Eq. (6) from Eq. (5) allows us to remove the unknown y term:

mn(x− pw)(x− pw ′)(pw ′ − pw) = z · (x− pw ′)− z′ · (x− pw) (7)

Finally, we may solve for the desired CDH value:

gmn = (Z(x−pw ′) · Z ′(pw−x))1/(x−pw)(x−pw ′)(pw−pw ′)

This is possible as long as we are not dividing by zero, i.e., if pw 6= x and pw ′ 6= x, which is explicitlyexcluded in the definition of event bad1

4 (see Case 2 of G4 for handling of this case).

Remark. The proof relies on the gap version of CDH [29], and it seems hard to prove security from thestandard CDH assumption. The Decision Diffie-Hellman oracle is used throughout the proof to maintainconsistency of answers to RO queries, and that this is needed even to deal with sessions in which theadversary is passive: the reduction still needs to be able to consistently deal with the sessions where theattacker is active and the attacker may adaptively decide to launch an active attack after seeing one of theprotocol messages. The same happens for all the other PAKE protocols we describe next.

13

Page 14: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

3.1 Extensions to TBPEKE, SPEKE, and their variants

In Appendix B, we prove that the TBPEKE protocol proposed by Pointcheval and Wang [31] also realizesthe lazy-extraction PAKE functionality under the same assumptions which were used to prove its game-based security. Moreover, since TBPEKE is a representative example of a class of protocols which includesSPEKE [19,28,17] and CPace [15,16], the same holds for these other protocols as well, or for their closevariants. These additional examples show that the lazy-extraction PAKE model captures a broad class ofpractical PAKE protocols.

The proof that TBPEKE is a secure lazy-extraction PAKE follows the same structure as the one we givefor SPAKE2, but a stronger computational assumption is required to exclude the possibility that an attackercan place multiple consistent queries to the Random Oracle (see Appendix B). It is straightforward to adaptour security proof for TBPEKE to show that lazy-extraction UC PAKE functionality is realized under thesame assumptions also by SPEKE.8 Since CPace is a close variant of SPEKE, this holds also for CPace ifadditional elements, such as the protocol transcript, are included in the key derivation hash.9

4 Adding Explicit Authentication

We will show that any protocol that securely realizes the lazy-extraction UC PAKE functionality FlePAKE,followed by a key confirmation round, is a secure realization of the relaxed UC PAKE-EA functionalityFrPAKE-EA. (See Section 2 for the definition of these functionalities.) This protocol compiler construction isshown in Fig. 5.

P on (NewSession, sid ,P,P ′, pw , client): P ′ on (NewSession, sid ,P ′,P, pw ′, server):

-(NewSession, sid ,P,P ′, pw , client) �(NewSession, sid ,P ′,P, pw ′, server)

lePAKE prot. Π

�(sid , k) -(sid , k′)

K = PRFk(1) K′ = PRFk′(1)τC = PRFk(2) τS = PRFk′(3)γC = PRFk(3) -τC � τS γS = PRFk′(2)

if τS = γC: output (sid ,K) if τC = γS : output (sid ,K′)else: output (sid ,⊥) else: output (sid ,⊥)

Fig. 5. Compiler from lePAKE protocol Π to rPAKE-EA protocol Π ′.

Theorem 2. Protocol Π ′ shown in Fig. 5 realizes the Relaxed PAKE-EA functionality FrPAKE-EA if Π realizesthe Lazy-Extraction PAKE functionality FlePAKE and PRF is a secure PRF.

Figure 6 shows the simulator used in the proof of Theorem 2, but the full proof of this theorem is deferredto Appendix A.

Compiler from PAKE to PAKE with entity authentication. If we replace the lazy-extraction PAKEfunctionality with the (standard) PAKE, then the same compiler construction realizes the (standard) PAKE

8 For instance, in the case of SPEKE (in which g = G(pw)), one can adapt the proof for TBPEKE by simulatingthe random oracle G as U · V P(pw).

9 In CPace [15] the key derivation hash includes only the session ID and the Diffie-Hellman key, while our proof ofTBPEKE security assumes that it includes also party IDs, the password-dependent base, and the transcript.

14

Page 15: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

On (NewSession, sid ,P,P ′, role) from FIf there is no record 〈sid ,P, . . .〉 then:

Send (NewSession, sid ,P,P ′, role) to A and store 〈sid ,P,P ′, role〉 marked fresh.On (TestPwd, sid ,P, pw∗) from AIf there is a fresh record 〈sid ,P, . . .〉 then:

Send (TestPwd, sid ,P, pw∗) to F ;If F replies “correct guess” then pass it to A and mark this record compromised.If F replies “wrong guess” then pass it to A and mark this record interrupted.

On (RegisterTest, sid ,P) from AIf there is a fresh record 〈sid ,P, . . .〉 then:

Mark this record interrupted and flag it tested.On (NewKey, sid ,P, k∗) from AIf there is a record 〈sid ,P,P ′, role〉 not completed then:

Define k as follows:If this record is compromised, or P or P ′ is corrupted, then set k := k∗.Else if this record is interrupted (tested or not), then set k ←R {0, 1}κ.Else set k := ⊥.

If k 6= ⊥ then:If role = client then set τ := PRFk(2) and γ := PRFk(3);If role = server then set τ := PRFk(3) and γ := PRFk(2);

Else, i.e., if k=⊥, pick τ ←R {0, 1}κ, set γ :=⊥, and send (GetReady, sid ,P) to F ;Mark record 〈sid ,P,P ′, role〉 “completed with key k and tag γ”;Send τ to A as the authenticator from P to P ′.

On delivery of an authenticator from AIf record 〈sid ,P,P ′, role〉 is marked “completed with key k and tag γ”, and A sends a purported authenticator,denoted τ∗, to protocol instance (sid ,P) then:

If 〈sid ,P,P ′, role〉 is flagged tested:Send (RegisterTest, sid ,P) to F .

If k 6= ⊥ then:If τ∗ = γ then send (NewKey, sid ,P,PRFk(1)) to F .If τ∗ 6= γ then send (NewKey, sid ,P,⊥) to F .

If k = ⊥ (i.e., the record was fresh right before it became completed) then:If there is a completed record 〈sid ,P ′,P, role′〉 for role′ 6= role, which was

marked fresh right before it became completed, and which sent outauthenticator τ ′ s.t. τ∗ = τ ′, then send (NewKey, sid ,P, 0κ) to F .

Else send (NewKey, sid ,P,⊥) to F .On (LateTestPwd, sid ,P, pw∗) from AIf there is a record 〈sid ,P, . . .〉 marked “completed with key k”, and flagged tested:

Remove the tested flag from this record;If A did not send an authenticator to protocol instance (sid ,P) then send

(TestPwd, sid ,P, pw∗) to F ;Else send (LateTestPwd, sid ,P, pw∗) to F ;If F replies “correct guess” then send k to A.If F replies “wrong guess” then send k$ ←R {0, 1}κ to A.

Fig. 6. Simulation for relaxed PAKE-EA protocol in Figure 5.

15

Page 16: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

with explicit authentication functionality. In other words, by dropping the “laziness” of the underlyingPAKE protocol, we get a compiler from PAKE to PAKE with explicit authentication. While technicallynot a corollary of Theorem 2, it is clear that the proof of Theorem 2 can be slightly modified to prove thisconclusion: In that proof, the simulator SIM sends a password test (i.e., send a LateTestPwd message toFrPAKE-EA) only if A does so (i.e., sends LateTestPwd message aimed at FlePAKE played by SIM); therefore, ifboth SIM and A are not allowed to do a late password test, the simulation will still succeed.

While the fact that PAKE plus “key confirmation” yields PAKE with explicit authentication is wellknown, to the best of our knowledge, there has been no proof of this in the UC setting.

SPAKE2 with key confirmation. An immediate corollary of Theorems 1 and 2 is that SPAKE2 with keyconfirmation realizes the relaxed UC PAKE-EA functionality FrPAKE-EA under the Gap-CDH assumption inROM. Fig. 7 shows the resulting 3-flow protocol with the client as the initiator.

Public parameters: generator g and random elements M,N of group Gof prime order p; hash function H : X → {0, 1}κ

P on (NewSession, sid ,P,P ′, pw , client): P ′ on (NewSession, sid ,P ′,P, pw ′, server):

x←R Zp y ←R Zp

X ← gx ·Mpw Y ← gy ·Npw′

-X X ← X/Mpw′

k′ ← H(sid ,P,P ′, X, Y, pw ′, Xy)K′, τS , γS ← PRFk′(1),PRFk′(3),PRFk′(2)

Y ← Y/Npw �(Y, τS)

k ← H(sid ,P,P ′, X, Y, pw , Y x)K, τC , γC ← PRFk(1),PRFk(2),PRFk(3)

if τS = γC : output K -τC if τC = γS : output K′

else: output ⊥ else: output ⊥

Fig. 7. SPAKE2 with key confirmation.

5 PAKE Relaxations and PFS

In this section we prove that any protocol that realizes the Relaxed PAKE functionality satisfies the stan-dard game-based notion of security for PAKE protocols offering perfect forward secrecy (PFS). This is animportant sanity check for the definition, as it shows that the extra power given to the ideal-world adver-sary by the late test feature does not weaken the security guarantee for PAKE sessions that are completedbefore passwords are corrupted. We show that a similar argument can be used to show that the weakerLazy-Extraction PAKE definition implies a weak form of PFS, referred to as weak FS, where security in thepresence of password leakage is only guaranteed with respect to passive attackers [24,27].

5.1 Defining PFS

We recall the standard game-based notion of security for PAKE protocols and which follows from a series ofworks [2,3] that refined the security notion proposed by Bellare, Pointcheval and Rogaway in [5]. Section 3and supplementary material include the full details.

16

Page 17: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

The definition is based on an experiment in which a challenger emulates a scenario where a set of partiesP1, . . . ,Pn, each running an arbitrary number of PAKE sessions, relies on a trusted setup procedure toestablish pre-shared long-term (low-entropy) passwords for pairwise authentication. Passwords for each pair(Pi,Pj) are sampled from a distribution over a dictionary D; we assume here the case where D is any setof cardinality greater than one, and each password is sampled independently and uniformly at random fromthis set.10 A ppt adversary A is challenged to distinguish established session keys from truly random oneswith an advantage that is better than password guessing.

The security experiment goes as follows. The challenger first samples passwords for all pairs of parties,generates any global public parameters (CRS) that the protocol may rely on and samples a secret bit b. Thechallenger manages a set of instances πji , each corresponding to the state of session instance j at party Pi,according to the protocol definition. The adversary is then executed with the CRS as input; it may interactwith the following set of oracles, to which it may place multiple adaptive queries:

Execute: Given a pair of party identities (Pi,Pj) this oracle animates an honest execution of a new PAKEsession established between the two parties and returns the communications trace to the attacker. Thisgives rise to two new session instances πki and πlj , which for correct protocols will have derived the sameestablished session key.

Send: Given a party identity Pi, an instance j and a message m, this oracle processes m according to thestate of instance πji (or creates this state if the instance was not yet initialized) and returns any outgoingmessages to the attacker.

Corrupt: Given a pair of party identities (Pi,Pj), this oracle returns the corresponding pre-shared pass-word.

Reveal: Given a party identity Pi and an instance j, this oracle checks πji and, if this session instance hascompleted as defined by the protocol, the output of the session (usually either a secret key or an abortsymbol) is returned to the attacker.

RoR: Given a party identity Pi and an instance j, this oracle checks πji and, if this session instance hascompleted as defined by the protocol and this session instance is fresh, the adversary is challenged onguessing bit b: if b = 0 then the derived key is given to the attacker; otherwise a new random key isreturned.11

Eventually the adversary terminates and outputs a guess bit b′. The definition of advantage excludes trivialattacks via the notion of session freshness used in the RoR oracle. Formal definitions are given in thesupplementary material, here we give an informal description. Two session instances are partnered if theirviews match with respect to the identity of the peer, exchanged messages and derived secret keys—the firsttwo are usually interpreted as a session identifier. A session is fresh if: a) the instance completed; b) theinstance was not queried to Ror or Reveal before; c) at least one of the following four conditions holds:i. the instance accepted during a query to Execute; ii. there exists more than one partner instance; iii. nopartner instance exists and the associated password was not corrupted prior to completion; iv. a unique freshpartner instance exists (implies not revealed).

A PAKE protocol is secure if, for any ppt attacker interacting with the above experiment and placing atmost qs queries to the Send oracle, we have that

|Pr[b′ = b]− 1/2| ≤ qs/|D|+ ε ,

10 This assumption is standard for the corruption model captured by this game-based definition. If correlated pass-words were allowed, then corrupting one password might reveal information that allows the attacker to triviallyinfer another one; preventing trivial attacks in this setting leads to a definition in the style of [5], where the cor-ruption of a password must invalidate RoR queries associated with all correlated passwords; this means the wholedictionary if no restrictions is imposed on the distribution. The finer-grained definition of password corruption weadopt here does not easily extend to the case of arbitrary correlations between passwords. See the supplementarymaterial for a discussion. The UC definition covers arbitrary password sampling distributions and the results weprove in this section should extend to any reasonable game-based definition that deals with more complex passworddistributions. This is clearly the case for the concrete distributions discussed in the supplementary material.

11 We use RoR (Real-or-Random) for this oracle rather than the standard Test oracle designation to avoid confusionwith the test and late test requests that are included in the UC PAKE ideal functionality definitions.

17

Page 18: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

where ε is a negligible term.The original definition proposed by Bellare, Pointcheval and Rogaway [5] allows for stronger corruption

models—fixing the corrupt password maliciously and revealing the internal state of session instances—whichwe omit here; it is straightforward to adapt our proof to the case of malicious password setting. We also donot deal with the asymmetry between client and server (also known as augmented PAKE) as this is outsidethe scope of this paper.

Known results for UC PAKE. Canetti et al. [10] introduced the notion of UC-secure PAKE and provedthat this definition implies game-based security of the protocol as defined in [5]. Our proof that RelaxedPAKE implies game-based PAKE with PFS follows along the same lines and relies on two auxiliary resultsfrom that original proof that we recover here; the first result concerns a generic mechanism for the handlingof session identifiers called SID-enhancement and the second one is a general result for security againsteavesdroppers.

Given a two-party protocol Π, its SID-enhancement Π ′ is defined as the protocol that has the partiesexchange nonces and then uses the concatenation of these nonces as SID. This transformation convertsany protocol Π that assumes SIDs provided by an external environment as the means to define matchingsessions, into another one that generates the SID on-the-fly as required by the syntax of the game-basedsecurity definition. Both the original proof and the one we give here show that the UC security of Π impliesthe game-based security of Π ′. Intuitively, an environment simulating the PFS-game above can wait untilthe SID for the enhanced protocol is defined before calling NewSession to initiate the session of the partiesin the UC setting.

For security against eavesdroppers, Canetti et al. show that no successful ideal world adversary can placeTestPwd queries on sessions for which the environment Z instructed the adversary to pass messages betweenthe players unmodified (i.e., to only eavesdrop on the session). We give here the intuition on why this is thecase and refer the interested reader to [10] for a detailed proof.

The crucial observation is that, for eavesdropped sessions, the ideal-world adversary generates all the traceand hence has no side information on the password;this means that for every environment Z for which theideal-world attacker might place such a query, there exists an environment Z ′ that can catch the simulator; Z ′operates as Z, but it uses a high-entropy password for the problematic session: in the real-world a session thetwo honest parties will end-up with matching keys with probability 1—one assumes perfect correctness herefor simplicity—whereas an ideal-world adversary placing a TestPwd can never match the same behaviour.Indeed, querying a wrong password to TestPwd leads to mismatching keys with overwhelming probabilityin the ideal world and the ideal-world adversary cannot guess the password correctly except with smallprobability.

This argument extends trivially to LateTestPw queries, as these must be preceded by a RegisterTest queryprior to session completion that also leads to mismatching keys with overwhelming probability. Furthermore,the above reasoning also applies when the ideal-world adversary may have the extra power of simulatingan ideal object, i.e., the UC-secure PAKE protocol is defined in an F-hybrid model. Indeed, whateverenvironment Z may have leaked to the ideal-world adversary via calls to F , there exists an environment Z ′that catches S as above.

5.2 Relaxed PAKE Implies PFS

Theorem 3. Let F be an ideal object such as a random-oracle or an ideal-cipher. If Π securely realizesFrPAKE without explicit authentication, in the (FCRS,F)-hybrid model, then its SID-enhanced version Π ′ isPFS-secure according to the game-based definition given above.

Proof. (Sketch) The overall structure of the proof matches that given in [10].Fix some dictionary D with |D| > 1 and any ppt adversary A′ attacking Π ′ in the game-based setting

and placing at most qs queries to the Send oracle. Construct an environment Z that either interacts withthe “canonical” (dummy) real world adversary A or with the ideal-world adversary S and FrPAKE. Thisenvironment runs A′ as a subroutine and emulates the entire PFS game for it; in particular, it creates all

18

Page 19: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

the pre-sampled passwords itself, as well as the secret bit b. The CRS is initially obtained via the real/idealworld adversary, and it is provided to A′. The oracle queries placed by A′ are answered as follows:

– Execute and Send queries are answered by first instructing the real/ideal world adversary to performthe necessary message exchanges, and then providing the observable trace or response to A′. We omithere the details on how to handle SIDs, which we handle as in [10]: Z can wait until the SID is fixed inΠ ′ before calling NewSession and then proceed as stated for subsequent steps in the protocol.

– Corrupt queries are simply answered by giving the password to A′.– Reveal and RoR queries are answered by looking at the output tape of the corresponding party session

to obtain the generated session key, and then proceeding as in the game-based definition.– F queries are passed on to the real/ideal-world adversary and the answer is returned back to A′.

When the adversary terminates, Z returns 1 if and only if b = b′. In short, the environment is constructedsuch that the probability that Z outputs 1 when interacting with A in the real world is identical to theprobability that the game-based PFS experiment returns 1 when interacting with A′.

Let us now look at the ideal world. The UC security of the protocol guarantees the existence of an idealworld adversary S that presents a view to Z that is computationally close to that which is observable in thereal world. We consider the setting of Z running A′ as a subroutine and interacting with this S.

The first observation is that here the PFS attacker A′ only gets information on the hidden bit b whenquerying RoR on a session declared fresh by the PFS experiment. We will show that the PFS attacker hasno information on the derived keys for such fresh sessions for four different cases: 1) all sessions created byExecute queries placed by PFS attacker A′; 2) sessions where the PFS attacker was active and S placed aLateTestPw query after the session completed; 3) sessions where the PFS attacker was active and S did notplace a TestPw query before the session completed; and 4) sessions where the PFS attacker was active andS placed a TestPw before the session completed for an incorrect password. Note that this leaves a fifth caseyet untreated, which is the same as the fourth one, except that password is correct. We handle this case atthe end of the proof.

Case 1. Let us first consider sessions established as a result of Execute queries placed by A′. Recall allsuch sessions are fresh unless the session key is explicitly revealed to A′. Here we apply the argument statedfor eavesdroppers by Canetti et al, which excludes any TestPwd or LateTestPwd queries. Note that in thiscase, the session key output by the ideal functionality can only be revealed to A′ by Z through a revealquery. However, if this occurred for either of the partner sessions, the freshness condition would not hold.This means that the session key established for a created via an Execute query is totally hidden from A′in the ideal world.

Case 2. Note that all sessions not captured in the previous case were established as a consequence of Sendqueries placed by the PFS adversary and recall that at most qs such sessions can occur.

We next show that, for these sessions, if S placed a LateTestPwd query, this does not help S and A′ inobtaining information about a key that is used by the RoR oracle. To see this, note that any session thatis late-tested gives rise to an independent session key in the ideal world that cannot be fixed via TestPwd;moreover, LateTestPwd reveals nothing about this key to S. Again, any session that is declared fresh bythe game-based experiment cannot have been revealed explicitly to A′, which means the session key isinformation-theoretically hidden from it. Note that the above argument holds independently of the fact thatthe password might have been corrupted prior to session acceptance and somehow included in a query to F .

Cases 3 and 4. For remaining cases of fresh sessions where A′ might get information about b, we cannotexclude that the ideal-world adversary S has made a successful TestPwd query prior to session acceptance.However, it is clear that, if such a query is not placed, then the same argument we used for the previouscases applies and the established key is also information-theoretically hidden from the adversary A′, whichcovers case 3. For Case 4, we note that the same argument still applies if the TestPwd query is placed witha wrong password, as in this case S can get no side-information on the session key via the functionality.

19

Page 20: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

We can now conclude the proof as in [10]. We have shown that all secret keys on whichA′ can be challengedin the ideal world are information theoretically from it hidden from A′, unless S is able to make a successfulTestPwd query on a session that was established as a result of a Send query placed by the PFS adversary.We know that there are at most qs such sessions. We argue that the overall probability that S makes such aTestPwd query is at most qs/|D|. This is because, for those sessions to be fresh, the associated password wasnot corrupted by A′ before session completion, and hence cannot have been leaked to S before the TestPwdquery was placed. Note that this argument holds for any possible because all prior communication betweenZ and S that could transfer information on the password to S (both protocol messages and calls to F) arecreated by A′, and A′ cannot have information on the password if the session is fresh.

This means that an up-to-bad argument can be used to show that the ideal-world view of Z is qs/|D|-close to that of a modified experiment in which Z outputs 1 with probability exactly 1/2. Combining thevarious terms one derives that the game-based advantage is upper-bounded by qs/|D| + ε, where ε is thedistinguishing advantage of Z.

5.3 Lazy-Extraction PAKE Implies Weak FS

The proof of the above theorem can be adapted to show that any protocol that realizes the Lazy-ExtractionUC PAKE functionality is secure under a weak form of game-based security: the attacker is not allowedto corrupt the passwords of sessions against which it launches an active attack. This notion of game-basedsecurity for PAKE is sometimes called weak FS. We summarize how the proof can be adapted.

The first step is to notice that the same argument that excludes any simulator that places TestPwd orLateTestPwd queries for eavesdropped sessions under the relaxed UC PAKE definition still applies in the lazyextraction setting. This means that all cases in the proof except for case 2) can be handled as before: case1) concerns eavesdropped sessions, whereas all other cases are related with the TestPwd query, for which thebehavior of the ideal functionality is the same as in the theorem. This leaves LateTestPwd queries.

The important observation here is that LateTestPwd can be handled exactly as TestPwd queries: underweak FS the attacker A′ can no longer corrupt a password for an actively attacked session, and hencethe relevant password is hidden from the simulator during the entire execution. The probability that thesimulator gets the password right is therefore 1/|P| in each LateTestPwd query. On the other hand, if thesimulator guesses wrong, it receives no information about the correct session key (it gets a random stringfrom the lazy-extraction UC PAKE functionality). Since we know that the ideal world adversary can place atmost one LateTestPwd or TestPwd query, and that at most qs actively attacked sessions exist, the implicationfollows from the same up-to-bad reasoning and holds with the same bound.

5.4 Practical implications

Putting together the results in Section 3 and Section 4 we obtain positive results for rPAKE secure protocolsin the Universal Composability framework, namely SPAKE2, TBPEKE, CPACE and SPEKE, followed bya round of key confirmation (although we did not give a detailed proof for the latter two, and regardingCPACE we expect that the proof will require that additional elements, such as the protocol transcript, areincluded in the key derivation hash). The result in this section shows that all such protocols are also PFSsecure in the game-based setting. The caveat here is that this proof involves modifying the protocol to dealwith session identifiers: The UC PAKE model requires a unique session identifier as an input of the protocol,while in practice agreeing on such identifier before the protocol starts can add extra communication roundsto the protocol. For completeness, we include a direct proof that SPAKE2 with key confirmation providesgame-based PFS with a tight reduction to Gap CDH in ROM as supplementary material.

Acknowledgments. Michel Abdalla was supported in part by the ERC Project aSCEND (H2020 639554)and by the French ANR ALAMBIC Project (ANR-16-CE39-0006). Manuel Barbosa was supported in part bythe grant SFRH/BSAB/143018/2018 awarded by FCT, Portugal, and by the ERC Project aSCEND (H2020639554). Stanis law Jarecki and Tatiana Bradley were supported by the NSF SaTC award 1817143. Work of

20

Page 21: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Jonathan Katz and Jiayu Xu was supported in part under financial assistance award 70NANB15H328 fromthe U.S. Department of Commerce, National Institute of Standards and Technology.

References

1. Abdalla, M., Catalano, D., Chevalier, C., Pointcheval, D.: Efficient two-party password-based key exchangeprotocols in the UC framework. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 335–351. Springer,Heidelberg (Apr 2008)

2. Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting.In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (Jan 2005)

3. Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting.IEE Proceedings — Information Security 153(1), 27–39 (Mar 2006)

4. Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.)CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (Feb 2005)

5. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In:Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (May 2000)

6. Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks.In: IEEE Symposium on Security and Privacy – S&P 1992. pp. 72–84. IEEE (1992)

7. Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (May2000)

8. Bradley, T., Camenisch, J., Jarecki, S., Lehmann, A., Neven, G., Xu, J.: Password-authenticated public-keyencryption. In: Deng, R.H., Gauthier-Umana, V., Ochoa, M., Yung, M. (eds.) ACNS 19. LNCS, vol. 11464, pp.442–462. Springer, Heidelberg (Jun 2019)

9. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS. pp.136–145. IEEE Computer Society Press (Oct 2001)

10. Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally composable password-based keyexchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (May2005)

11. Gennaro, R.: Faster and shorter password-authenticated key exchange. In: Canetti, R. (ed.) TCC 2008. LNCS,vol. 4948, pp. 589–606. Springer, Heidelberg (Mar 2008)

12. Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to servercompromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (Aug 2006)

13. Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. Journal of Cryptology 19(3),241–340 (Jul 2006)

14. Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: Al-Shaer, E.,Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010. pp. 516–525. ACM Press (Oct 2010)

15. Haase, B., Labrique, B.: AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT. Cryptology ePrintArchive, Report 2018/286 (2018), https://eprint.iacr.org/2018/286

16. Haase, B., Labrique, B.: AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT. IACR TCHES2019(2), 1–48 (2019), https://tches.iacr.org/index.php/TCHES/article/view/7384

17. Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. Cryptology ePrint Archive, Report 2014/585 (2014),http://eprint.iacr.org/2014/585

18. Hwang, J.Y., Jarecki, S., Kwon, T., Lee, J., Shin, J.S., Xu, J.: Round-reduced modular construction of asymmetricpassword-authenticated key exchange. In: Catalano, D., De Prisco, R. (eds.) SCN 18. LNCS, vol. 11035, pp. 485–504. Springer, Heidelberg (Sep 2018)

19. Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: 6th IEEE InternationalWorkshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 1997). pp. 248–255.IEEE Computer Society, Cambridge, MA, USA (Jun 18–20, 1997)

20. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: An asymmetric PAKE protocol secure against pre-computationattacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 456–486.Springer, Heidelberg (Apr / May 2018)

21. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: An asymmetric PAKE protocol secure against pre-computationattacks. Cryptology ePrint Archive, Report 2018/163 (2018), https://eprint.iacr.org/2018/163

21

Page 22: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

22. Jutla, C.S., Roy, A.: Dual-system simulation-soundness with applications to UC-PAKE and more. In: Iwata, T.,Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 630–655. Springer, Heidelberg (Nov / Dec2015)

23. Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable pass-words. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (May2001)

24. Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S.,Galdi, C., Persiano, G. (eds.) SCN 02. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (Sep 2003)

25. Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. In: Ishai, Y. (ed.)TCC 2011. LNCS, vol. 6597, pp. 293–310. Springer, Heidelberg (Mar 2011)

26. Krawczyk, H.: The OPAQUE asymmetric PAKE protocol, https://www.ietf.org/id/

draft-krawczyk-cfrg-opaque-03.txt (Oct 2019)27. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005.

LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (Aug 2005)28. MacKenzie, P.: On the security of the SPEKE password-authenticated key exchange protocol. Cryptology ePrint

Archive, Report 2001/057 (2001), http://eprint.iacr.org/2001/05729. Okamoto, T., Pointcheval, D.: The gap-problems: A new class of problems for the security of cryptographic

schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (Feb 2001)30. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J.

(ed.) CRYPTO’91. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (Aug 1992)31. Pointcheval, D., Wang, G.: VTBPEKE: Verifier-based two-basis password exponential key exchange. In: Karri,

R., Sinanoglu, O., Sadeghi, A.R., Yi, X. (eds.) ASIACCS 17. pp. 301–312. ACM Press (Apr 2017)

22

Page 23: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

A Proof of Theorem 2

Proof. We construct a simulator SIM as in Fig. 6, which interacts with functionality FrPAKE-EA and anenvironment Z, and we show that for any efficient environment Z and any real-world adversary A, Z cannotdistinguish the ideal-world execution, created by SIM in interaction with FrPAKE-EA, from the real-worldexecution, created by A in interaction with real-world parties executing protocol Π ′. However, since weassume that sub-protocol Π realizes functionality FlePAKE, the real-world adversary can be without loss ofgenerality replaced by a hybrid-world adversary, where the lazy-extraction PAKE sub-protocol Π executedby the real-world parties within protocol Π is replaced by the ideal functionality FlePAKE. Indeed, in theproof we assume that A is operates in such FlePAKE-hybrid world, although to simplify the terminology wepersist in calling A a “real-world” adversary. Also for notational simplicity, we denote functionality FrPAKE-EAthroughout the proof as simply F . Finally, as is standard, without loss of generality we assume that theadversary A is a “dummy” adversary who merely passes all messages and computation to Z.

The proof goes by a sequence of games, starting from the real world and ending at the simulated world;and we prove that Z’s views in any pair of adjacent games are indistinguishable. In all of these games wedivide all possible scenarios into several cases (which are unchanged throughout the sequence of games),according to whether A performs an online attack on party P’s rPAKE session, and if so, whether it is anonline attack or a postponed attack on P’s lePAKE session.12 Throughout the argument below we assumethat P’s role is client; the other case, i.e., P’s role is server, can be argued similarly. Let P’s counterpart beP ′, and P ′’s password be pw ′.

Case 1 (online attack on lePAKE → online attack on rPAKE): A sends (TestPwd, sid ,P, pw∗) to FlePAKE

when P’s lePAKE session is fresh. There are two sub-cases:Case 1a (correct guess): pw∗ = pw (thus P’s lePAKE session becomes compromised).Case 1b (wrong guess): pw∗ 6= pw (thus P’s lePAKE session becomes interrupted).

Case 2 (postponed attack on lePAKE → online attack on rPAKE): A sends (RegisterTest, sid ,P) whenP’s lePAKE session is fresh, followed by (NewKey, sid ,P, k∗); and then sends (LateTestPwd, sid ,P, pw∗) toFlePAKE (cauing P’s rPAKE session to complete) before sending a tag τ∗ to P. There are two sub-cases:

Case 2a (correct guess): pw∗ = pw .Case 2b (wrong guess): pw∗ 6= pw .

Case 3 (postponed attack on lePAKE → postponed attack on rPAKE): This is the complementary case ofCase 2, i.e., A sends (RegisterTest, sid ,P) when P’s lePAKE session is fresh, followed by (NewKey, sid ,P, ?);and then an tag τ∗ to P before sending any (LateTestPwd, sid ,P, pw∗) message to FlePAKE. (Eventually Amay or may not send LateTestPwd.)

Case 4 (no attack on lePAKE): A sends neither a (TestPwd, sid ,P, ?) nor a (RegisterTest, sid ,P) query toFlePAKE when P’s lePAKE session is fresh (thus P’s lePAKE session remains fresh until it becomes completed).There are two sub-cases:

Case 4a (no attack on counterpart, passwords match): P ′’s lePAKE session is completed when A sendsτ∗ aimed at P, and P ′’s lePAKE session was also fresh right before it becomes completed. Furthermore,pw ′ = pw (i.e., P and P ′’s passwords match).

Case 4b: This is the complementary case of Case 4a.

Game 0. This is the real world, in which A interacts with real players, and may view, modify, and/or dropnetwork messages.

12 Note that each rPAKE session runs a lePAKE session as a subprotocol, and these two sessions should not beconfused. When we mention a party’s session, we always explicitly point out which one it refers to. Similarly, eachparty has a lePAKE output (which is always a string) and a PAKE output (which is either a string derived fromits lePAKE output or ⊥).

23

Page 24: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Game 1. In Cases 1b, 2b and 4 (except for the subcase of Case 4a that P outputs after P ′ does), setK, τ, γ ←R {0, 1}κ (instead of K = PRFk(1), τ = PRFk(2) and γ = PRFk(3)).

Note that in all these cases, k is a random string in {0, 1}κ, and is only used in computing K, τ andγ. (That is, k is never revealed to Z, and is never used in P ′’s algorithm.) Therefore, any environment Zwhich distinguishes between Game 0 and Game 1 can be turned into an adversary B1 against the securityof PRF: B1, given access to an oracle O(·) (which computes either PRFk(·) or a random function), runs thecode of Game 0, except that (1) it aborts if the condition of Game 1 does not hold, and (2) if the conditionof Game 1 holds, it sets K = O(1), τ = O(2) and γ = O(3) instead of K = PRFk(1), τ = PRFk(2) andγ = PRFk(3). Then B1 copies Z’s output. We have that

|Pr [G1]− Pr [G0]| ≤ AdvPRFB1

.

Game 2. In the subcase of Case 4a that P outputs after P ′ does, set K = K ′ and τ ←R {0, 1}κ (insteadof K = PRFk(1) and τ = PRFk(2)).

Note that in this case K = K ′ = PRFk(1), so redefining K = K ′ does not change Z’s view. k is a randomstring in {0, 1}κ, and is only used in computing K, K ′, τ and γ. (That is, k is never revealed to Z.) Therefore,any environment Z which distinguishes between Game 1 and Game 2 can be turned into an adversary B2against the security of PRF: B2, given access to an oracle O(·), runs the code of Game 1, except that (1) itaborts if the condition of Game 2 does not hold, and (2) if the condition of Game 2 holds, it sets τ = O(2)instead of τ = PRFk(2). Then B2 copies Z’s output. We have that

|Pr [G2]− Pr [G1]| ≤ AdvPRFB2

.

Game 3. In Case 3, let P output (sid ,⊥).In Game 2 P outputs (sid ,⊥) in Case 3 unless τ∗ = γ = PRFk(3). Therefore, Z’s views in Game 2 and

Game 3 are identical unless τ∗ = PRFk(3) in Case 3. Denote this event bad . Note that at the time whenA sends τ∗, k is a random string in {0, 1}κ, and is only used in computing τ = PRFk(2). Therefore, anyenvironment Z which causes bad to happen can be turned into an adversary B3 against the security of PRF:B3, given access to an oracle O(·), runs the code of Game 2, except that (1) it aborts if Case 3 does nothappen, (2) in Cases 3, it sets τ = O(2) instead of τ = PRFk(2). Then B3 outputs 1 if τ∗ = O(3), and 0otherwise (and breaks the game). We have that

AdvPRFB3

=

∣∣∣∣Pr[bad ]− 1

∣∣∣∣ ,

so

|Pr [G3]− Pr [G2]| ≤ Pr[bad ] ≤ AdvPRFB3

+1

2κ.

Game 4. In Cases 1b, 2b and 4b, let P output (sid ,⊥).In Game 3 P outputs (sid ,⊥) in Cases 1b, 2b and 4b unless τ∗ = γ ←R {0, 1}κ. Therefore, Z’s views in

Game 3 and Game 4 are identical unless τ∗ = γ in Cases 1b, 2b and 4b. Since γ is independent of everythingelse, this probability is at most 1/2κ. We have that

|Pr [G4]− Pr [G3]| ≤ 1

2κ.

Game 5. In Cases 1b and 2b, set τ := PRFk(2) where k ←R {0, 1}κ (instead of τ ←R {0, 1}κ).Any environment Z which distinguishes between Game 4 and Game 5 can be turned into an adversary

B4 against the security of PRF: B4, given access to an oracle O(·), runs the code of Game 4, except that (1)it aborts if neither of Cases 1b and 2b happens, and (2) in Cases 1b and 2b, it sets τ = O(2) instead ofτ ←R {0, 1}κ. Then B4 copies Z’s output. We have that

|Pr [G5]− Pr [G4]| ≤ AdvPRFB4

.

We now argue, case by case, that Z’s views in Game 5 and the ideal world are identical.

24

Page 25: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Case 1a:

– Game 5: In this case there is no change from Game 0 to Game 5. Therefore, Z’s view consists of“correct guess” when A sends (TestPwd, sid ,P, pw∗ = pw) to FlePAKE, τ = PRFk∗(2) when A sends(NewKey, sid ,P, k∗) to FlePAKE, and (sid ,K = PRFk∗(1)) if A sends τ∗ = PRFk∗(3) and (sid ,⊥) other-wise.

– Ideal world: When A sends (TestPwd, sid ,P, pw) aimed at FlePAKE, SIM passes this message to F ; whenF replies “correct guess,” SIM passes this message to A. At this time P’s lePAKE session (kept in SIM)and rPAKE session (kept in F) are both compromised. Then when A sends (NewKey, sid ,P, k∗) aimedat FlePAKE, SIM sets k := k∗ and sends τ := PRFk(2) to A; when A sends τ∗, if τ∗ = PRFk∗(3) thenSIM sends (NewKey, sid ,P,K := PRFk(1)) to F , and F sends (sid ,K) to P (who outputs this message);otherwise SIM sends (NewKey, sid ,P,⊥) to F , and F sends (sid ,⊥) to P (who outputs this message).

According to the analysis above, we can see that Z’s views in Game 5 and the ideal world are identical inthis case.

Case 1b:

– Game 5: In this case the changes from Game 0 are done in Game 1, Game 4 and Game 5. Z’s view consistsof “wrong guess” when A sends (TestPwd, sid ,P, pw∗) to FlePAKE, τ = PRFk(2) (where k ←R {0, 1}κ)when A sends (NewKey, sid ,P, k∗) to FlePAKE, and (sid ,⊥) when A sends τ∗.

– Ideal world: When A sends (TestPwd, sid ,P, pw∗) aimed at FlePAKE, SIM passes this message to F ;when F replies “wrong guess,” SIM passes this message to A. At this time P’s lePAKE session (keptin SIM) and rPAKE session (kept in F) are both interrupted. Then when A sends (NewKey, sid ,P, k∗)aimed at FlePAKE, SIM picks k ←R {0, 1}κ and sends τ := PRFk(2) to A; when A sends τ∗, SIM sends(NewKey, sid ,P, ?) to F , and F sends (sid ,⊥) to P (who outputs this message). (Note that P’s rPAKEsession is interrupted, so F always sends (sid ,⊥) to P when SIM sends NewKey.)

According to the analysis above, we can see that Z’s views in Game 5 and the ideal world are identical inthis case.

Case 2a: This case is the same with Case 1a, except that A’s message sequence TestPwd and NewKeyis replaced by RegisterTest, NewKey and LateTestPwd. With an argument similar to Case 1a (we omit thedetails), Z’s views in Game 5 and the ideal world are identical in this case.

Case 2b: Again, this case is the same with Case 1b, except that A’s message sequence TestPwd and NewKeyis replaced by RegisterTest, NewKey and LateTestPwd. With an argument similar to Case 1b (we omit thedetails), Z’s views in Game 5 and the ideal world are identical in this case.

Case 3:

– Game 5: In this case the changes from Game 0 are done in Game 3. Z’s view consists of τ = PRFk(2)(where k ←R {0, 1}κ) when A sends (NewKey, sid ,P, k∗) to FlePAKE, (sid ,⊥) when A sends τ∗, and k ifA sends (LateTestPwd, sid ,P, pw∗ = pw) to FlePAKE and k$ ←R {0, 1}κ otherwise.

– Ideal world: When A sends (RegisterTest, sid ,P) aimed at FlePAKE, SIM passes this message to F . Atthis time P’s lePAKE session (kept in SIM) and rPAKE session (kept in F) are both interrupted andflagged tested. Then when A sends (NewKey, sid ,P, k∗) aimed at FlePAKE, SIM picks k ←R {0, 1}κ andsends τ := PRFk(2) to A; when A sends τ∗, SIM sends (NewKey, sid ,P, ?) to F , and F sends (sid ,⊥) toP (who outputs this message). (Note that P’s rPAKE session is interrupted, so F always sends (sid ,⊥)to P when SIM sends NewKey.) Finally, when A sends (LateTestPwd, sid ,P, pw∗) aimed at FlePAKE, SIMpasses this message to F and removes the tested flag; if pw∗ = pw , then F replies “correct guess,” andSIM sends k to A; if pw∗ 6= pw , then F replies “wrong guess,” and SIM sends k$ ←R {0, 1}κ to A.

According to the analysis above, we can see that Z’s views in Game 5 and the ideal world are identical inthis case.

25

Page 26: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Case 4a, P outputs before P ′ does:

– Game 5: In this case the changes from Game 0 are done in Game 1. Z’s view consists of τ ←R {0, 1}κwhen A sends (NewKey, sid ,P, k∗) to FlePAKE, and (sid ,K ←R {0, 1}κ) if A sends τ∗ = γ = τ ′ and(sid ,⊥) otherwise.

– Ideal world: When A sends (NewKey, sid ,P, k∗) to FlePAKE, SIM picks τ ←R {0, 1}κ, sets γ := ⊥, andsends (GetReady, sid ,P) to F ; F marks P’s rPAKE session ready. When A sends τ∗, if τ∗ = τ , then SIMsends (NewKey, sid ,P, 0κ) to F , and F sends (sid ,K ←R {0, 1}κ) to P (who outputs this message); ifτ∗ 6= τ , then SIM sends (NewKey, sid ,P,⊥) to F , and F sends (sid ,⊥) to P (who outputs this message).

According to the analysis above, we can see that Z’s views in Game 5 and the ideal world are identical inthis case.

Case 4a, P outputs after P ′ does: This case is the same with the subcase of Case 4a that P outputsbefore P ′ does, except that K ←R {0, 1}κ is replaced by K = K ′. With an argument similar to Case 1b (weomit the details), Z’s views in Game 5 and the ideal world are identical in this case.

Case 4b:

– Game 5: In this case the changes from Game 0 are done in Game 1 and Game 4. Z’s view consists ofτ ←R {0, 1}κ when A sends (NewKey, sid ,P, k∗) to FlePAKE, and (sid ,⊥) when A sends τ∗.

– Ideal world: When A sends (NewKey, sid ,P, k∗) to FlePAKE, SIM picks τ ←R {0, 1}κ, sets γ := ⊥,and sends (GetReady, sid ,P) to F ; F marks P’s rPAKE session ready. When A sends τ∗, SIM sends(NewKey, sid ,P,⊥) to F , and F sends (sid ,⊥) to P (who outputs this message).

According to the analysis above, we can see that Z’s views in Game 5 and the ideal world are identical inthis case.

Combining all results above, we conclude that Z’s views in the real world and the ideal world areindistinguishable. This concludes the proof.13

B Security of TBPEKE

We recall the two-flow, simultaneous round TBPEKE protocol [31] in Fig. 8, with some notational choicesadjusted to the UC setting.

The proof that TBPEKE is lazy-extraction UC PAKE secure is structurally similar to that of SPAKE2.In particular, the simulator adopts the same high-level strategy for dealing with passive and active attacks,while simulating the random oracle that is used for key derivation by taking advantage of knowing the CRS.(Random oracle P is trivially simulated, excluding collisions to avoid ambiguity between passwords.) Thesequence of games that justifies the simulation also follows the same pattern. The only significant differencelies in the step where one must exclude the possibility that the adversary places two random-oracle queries fortwo different passwords that are consistent with the same protocol trace, which would prevent the simulatorfrom maintaining consistency. In the SPAKE2 proof, this event can be reduced to Gap CDH. For TBSPEKE,the reduction to Gap CDH does not work and the stronger Gap SDH assumption, which we state here, isneeded as in [31].

SDH and Gap SDH assumptions. The Simultaneous Diffie-Hellman (SDH) assumption states that, giventhree random elements X, g = Xa, and h = Xb in a cyclic group of prime order, it is hard to find Y 6= 1 andR,S that simultaneously satisfy R = CDHg(X,Y ) = Y 1/a and S = CDHh(X,Y ) = Y 1/b. In the gap version,the problem must remain hard even if the adversary has access to a Decisional Diffie-Hellman oracle.

13 The proof is done in the single-session setting, i.e., we assume that there is only one sid . By a standard hybridargument, we can extend the result to the multi-session setting: If Z’s distinguishing advantage is ε for a singlesession, then it is qε for q sessions.

26

Page 27: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Public parameters: Random elements U, V of group G of prime order p;hash function H : X → {0, 1}κ;

hash function P : X → Zp

P on (NewSession, sid ,P,P ′, pw , client): P ′ on (NewSession, sid ,P ′,P, pw ′, server):

gpw ← U · V P(pw) gpw′ ← U · V P(pw′)

x←R Zp y ←R Zp

X ← gxpw Y ← gypw′-X � Y

K ← H(sid ,P,P ′, gpw , X, Y, Y x) K′ ← H(sid ,P,P ′, gpw′ , X, Y,Xy)output K output K′

Fig. 8. TBPEKE protocol of [31], which uses an additional random oracle P for deriving the generator gpw .

Theorem 4. TBPEKE realizes the Lazy-Extraction PAKE functionality FlePAKE in ROM under the Gap-CDH and Gap Simultaneous Diffie-Hellman (Gap-SDH) assumptions.

Simulator for TBPEKE. As for SPAKE2, for each party identifier P and session identifier sid , thesimulator SIM for TBPEKE stores a state πsid

P containing the following values:

– The role role ∈ {client, server} of P in this session.– The private exponent exp used in the network messages, x for C and y for S.– The transcript of the session includes variables (C,S, X, Y,X∗, Y ∗), where C,S are party identifiers for

client and server respectively, X,Y are simulated messages, and X∗, Y ∗ are adversarial messages.– The password pw of the party.– The key k sent in the NewKey query on behalf of the party.– A table guesses mapping values Z∗ to tuples (pw, k∗), representing potential password guesses, and

corresponding keys, made by the adversary using the random oracle H.– A flag waiting set to T if no adversarial message Z∗ has been received for this party and sid , and F

otherwise.

Let RealZ,A,TBPEKE be the event that environment Z with adversary A outputs 1 in the real world, andIdealZ,SIM,TBPEKE be the corresponding event in the ideal world. The goal is to show that the difference inthe probability of these events is negligible.

Proof of Theorem 4.

Game 0. This is the real world, in which A interacts with real players, and may view, modify, and/or dropnetwork messages.

RealZ,A,TBPEKE = Pr [G0].

Game 1. (Emulate real world with trapdoors) We now emulate the behavior of the real players andthe random oracle. This game is exactly as the real game, except for the inclusion of record keeping, andembedding of trapdoors in U and V , i.e, setting U = gu;V = gv for known u and v. The embedding oftrapdoors is not noticeable to the environment as U and V are still drawn from the same distribution asbefore, thus:

Pr [G1] = Pr [G0].

Game 2. (Remove P collisions) We now abort whenever there is a collision on the output of the randomoracle P. Let qP denote the number of queries to P. Clearly, this bad event can be upper bounded by q2P/pusing the birthday bound. Thus:

|Pr [G2]− Pr [G1]| ≤ q2P/p.

27

Page 28: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

generate CRS

U ← gu;V ← gv for (u, v)←R Zpreturn U, V

on (NewSession, sid ,P,P ′, role) from Pif πsidP 6= ⊥: return ⊥

(X,Y )← (⊥,⊥)if role = client :

(C,S)← (P,P ′)z ←R Zp ; X ← gz; Z ← X

if πsidP′ 6= ⊥ and πsid

P′ .role 6= client: Y ← πsidP′ .Y ; πsid

P′ .X ← Xelse if role = server :

(C,S)← (P ′,P)z ←R Zp ; Y ← gz; Z ← Y

if πsidP′ 6= ⊥ and πsid

P′ .role 6= server: X ← πsidP′ .X; πsid

P′ .Y ← Y

πsidP ← (role, z, C,S, X, Y,⊥,⊥,⊥,⊥, T)

send Z from P to A

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, ·, C,S, X, Y, ·, ·, ·, guesses, ·)← πsid

PK ← 0κ

if role = client :

πsidP .Y ∗ ← Z∗

if Z∗ = Y : jump to end

else if role = server :

πsidP .X∗ ← Z∗

if Z∗ = X: jump to end

if πsidP .guesses[Z∗] = (pw , k∗):reply← (TestPwd, sid ,P, pw) to Fif reply = “correct”: K ← k∗

else: send (RegisterTest, sid ,P) to Fend: πsid

P .waiting = F

send (NewKey, sid ,P,K) to F

on H(sid , C,S, gpw , X ′, Y ′,W ) from A:

if TH[sid , C,S, gpw , X ′, Y ′,W ] = ⊥:K ←R {0, 1}κfind pw ∈ TP s.t. TP[pw ] = gpw ; if none found, jump to end

(x, y) ← (⊥,⊥)

if πsidC 6= ⊥: x← πsid

C .exp/(u+ v · pw)

if πsidS 6= ⊥: y ← πsid

S .exp/(u+ v · pw)

if πsidC .X = X ′ and πsid

S .Y = Y ′ and W = gxypw : abort

else if πsidC .X = X ′ and W = (Y ′)x :

if Y ′ = πsidC .Y ∗: P ← C; jump to late test pw

else: πsidC .guesses[Y ′]← (pw ,K)

else if πsidS .Y = Y ′ and W = (X ′)y:

if X ′ = πsidS .X∗: P ← S; jump to late test pw

else: πsidS .guesses[X ′]← (pw ,K)

jump to end

late test pw: reply← (LateTestPwd, sid ,P, pw) to FK ← reply; if no reply, abort

end: TH[sid , C,S, gpw , X ′, Y ′,W ]← Ksend TH[sid , C,S, gpw , X ′, Y ′,W ] to A

on P(pw) from A:

if TP[pw ] = ⊥:p←R Zp ; if p ∈ TP.values: abortTP[pw ]← p

send TP[pw ] to A

Fig. 9. UC Simulator for TBPEKE.

28

Page 29: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Game 3. (Random key if adversary is passive) If the adversary passes a simulated Z message to (sid ,P)without modification, output a random key for P instead of the true random-oracle output. The envi-ronment notices this change only if A makes a hash query that would result in an inconsistency, namelyH(sid , C,S, gpw , X, Y,W = gxypw ), where gpw = g(u+P(pw)·v), X = gxpw , Y = gypw are the simulated messages.We check for such queries, and abort if any occurs.

We may reduce this event to Gap-CDH as follows. Consider an adversary B3 against Gap-CDH. Onchallenge (A = ga, B = gb), it first chooses u and v at random and sets U = gu and V = gv. Then, it embedsA in X = Aαsid (u+P(pw)·v), for a random known value αsid whenever it simulates a client message in sessionsid .14Likewise, it embeds B in Y = Bβsid (u+P(pw)·v) for a random known value βsid whenever it simulates aserver message in session sid . Next, whenever a party P receives a message Z from the adversary, it checkswhether Z was received without modification.

In the case where Z was not modified, then B3 checks whether a query (sid , C,S, gpw , X, Y,W ) has beenasked to H, where gpw = g(u+P(pw)·v). If no such queries exist or if DDH(X,Y,W (u+P(pw)·v)) does not hold forall such queries, then B3 chooses K at random in {0, 1}κ, sets TH[sid , C,S, gpw , X, Y,⊥] = K, and returns Kto the adversary. If DDH(X,Y,W (u+P(pw)·v)) holds for one such query, then B3 outputs W 1/[αsidβsid (u+P(pw)·v)]

as the solution to the Gap-CDH problem15.In the case where Z was modified and P is a client, then B3 checks whether a query (sid , C,S, gpw , X, Z,

W ) has been asked to H, using its state information, where gpw = g(u+P(pw)·v). If any such query exists andDDH(X,Z,W (u+P(pw)·v)) holds, then B3 returns TH[sid , C,S, gpw , X, Z,W ] to the adversary16. Otherwise,B3 chooses K at random in {0, 1}κ, sets TH[sid , C,S, gpw , X, Z,⊥] = K, and returns K to the adversary.

Next, whenever the adversary queries H on input (sid , C,S, gpw , X, Y,W ), B3 returns K = TH[sid , C,S,gpw , X, Y,W ] if K 6= ⊥. If TH[sid , C,S, gpw , X, Y,W ] = ⊥, B3 then checks whether there exists an entrysuch TH[sid , C,S, gpw , X, Y,⊥] 6= ⊥. If no such query exists, then B3 chooses K at random in {0, 1}κ,sets TH[sid , C,S, gpw , X, Y,W ] = K, and returns K to the adversary. If such a query exists and both Xand Y are simulated, then B3 outputs W 1/[(αsidβsid )(u+pw ·v)] as the solution to the Gap-CDH problem ifDDH(X,Y,W (u+P(pw)·v)) holds. If such a query exists but only X is simulated, then B3 outputs K =TH[sid , C,S, gpw , X, Y,⊥] if DDH(X,Y,W (u+P(pw)·v)) is true and updates the table entry by replacing ⊥with W . The case in which only Y is simulated is similar. Finally, if neither X or Y is simulated or ifthe DDH oracle returns false, B3 chooses K at random in {0, 1}κ, sets TH[sid , C,S, gpw , X, Y,W ] = K, andreturns K to the adversary.

Since B3 solves the CDH challenge whenever the bad event occurs, we have:

|Pr [G3]− Pr [G2]| ≤ AdvGCDHB3

.

Game 4. (Random simulated messages) On (NewSession, sid ,P,P ′, role), if this is the first NewSession for(sid ,P), set Z ← gz for z ←R Zp , and send Z to A as a message from P to (P ′, sid). Note that we maynow compute the original exponents via z = πsid

P .exp/(u + P(pw) · v). This change is not observable to theenvironment, as it is merely a syntactic change in the calculation of the exponents:

Pr [G4] = Pr [G3].

Game 5. (Random keys if adversary does not correctly guess password) We now detect when an adversarialhash query corresponds to a password guess. We can detect this event by inspecting the X∗, Y ∗, gpw andW values provided to the hash oracle H and the pw values provided to the hash oracle P. Let us assumethe adversary is guessing the client’s password (the server case is symmetric). To make a password guessagainst the client, the adversary must set X∗ = πsid

C .X, i.e., use the simulated message sent by the client.

14 For simplicity, we assume that u + P(pw) · v 6= 0, since this event happens with negligible probability due to theuse of the random oracle P.

15 For simulated values, X = Aαsid (u+P(pw)·v) = gaαsidpw and Y = Bβsid (u+P(pw)·v) = g

bβsidpw . Hence, to pass the test, the

correct value for W should be g[aαsid ]·[bβsid ]pw = gaαsidbβsid (u+P(pw)·v) and W 1/[αsidβsid (u+P(pw)·v)] = gab.

16 When X is simulated, X = Aαsid (u+P(pw)·v) = gaαsidpw . Let Z = gz = g

z/(u+P(pw)·v)pw . Hence, in order to pass the test,

W should be g[aαsid ][z/(u+P(pw)·v)]pw = gaαsidz, which can be verified via DDH(X,Z,W (u+P(pw)·v))

29

Page 30: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

The adversary can use any choice of Y ∗, but to correspond with a specific password guess, the followingcondition must hold: W = (Y ∗)x (where gpw = U · V P(pw) and x is the exponent such that X = gxpw ). Inother words, W must be the value that would be used by a real client if Y ∗ were sent as the server’s message.If such a password guess query is detected, we check if Y ∗ was previously sent as an adversarial messageon behalf of the server: if so, and if the password guess is correct, we program the random oracle to matchthe previously sent key. If Y ∗ was not previously sent, we note the values Y ∗, gpw queried by the adversaryand the random key K output by the random oracle H. If Y ∗ is later sent as the adversarial message, andthe password is correct, we output the stored key K. If the password is incorrect, we output a random keyindependent of the RO table for H. If at any point a second password guess (correct or incorrect) is detectedfor the same sid and party, we abort the game.

This change is noticeable to the environment only in the abort case, i.e, the case where the adversarymakes two hash queries that represent a password guess for the same values of X∗, Y ∗. We may reduce thelatter event to the Gap Simultaneous Diffie-Hellman (Gap-SDH) problem as follows.

Consider an adversary B5 against Gap-SDH. On challenge (A,G1 = Aa1 , G2 = Aa2), it first chooses two

random values p1 and p2 at random from Zp and sets V ← (G1/G2)1/(p1−p2) and U ← G1/V

p1 . Using thissetting, we have U · V pi = Gi for i = 1, 2. Let us assume the adversary is guessing the client’s password (theserver case is symmetric). The idea of the reduction is to program the random oracle P so that P(pw i) = pifor i = 1, 2, where pw1 and pw2 are the two password guesses. Since we do not know in advance the values ofpw1 and pw2, we just guess the respective queries to the random oracle P and abort if our guess is incorrect.Moreover, whenever we need to compute a client message X in session sid , we choose αsid at random fromZp and set X ← Aαsid . Finally, if the bad event happens and our guesses for pw1 and pw2 are correct,which happens with probability 1/q2P, then we know that (X∗, Y ∗,Wi) is valid DDH tuple with respect tothe generator Gi for i = 1, 2, which can be checked with the DDH oracle. Let αsid be the value used in the

computation of X∗. Then, it follows that (Y ∗,W 1/αsid

1 ,W1/αsid

2 ) is a valid solution to the Gap-SDH problem.Thus,

|Pr [G5]− Pr [G4]| ≤ q2P ·AdvGSDHB5

.

Game 6. (Use FlePAKE interface) In the final step, we modify the game so that it uses the RegisterTest,TestPwd and LateTestPwd interfaces to check passwords, and the NewKey interface to set keys. This is aninternal change that is not noticeable to the environment, thus

Pr [G6] = Pr [G5].

In addition, this game behaves exactly as the ideal-world simulator, so:

Pr [G6] = IdealZ,SIM,TBPEKE.

Thus the total advantage of Z is:

|IdealZ,SIM,TBPEKE −RealZ,A,TBPEKE| ≤ AdvGCDHB3

+ q2P ·AdvGCDHB5

+ q2P/p,

which is negligible if Gap-CDH and Gap-SDH are hard.

C Supplementary Figures for SPAKE2 Proof

This section contains figures illustrating the explicit game changes that occur in the proof of Theorem 1.Blue text indicates modifications from the previous game.

30

Page 31: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

generate CRS

M ← gm;N ← gn for (m,n)←R Zpreturn M,N

on (NewSession, sid ,P,P ′,pw , role) from Pif πsidP 6= ⊥: return ⊥

(X,Y )← (⊥,⊥)if role = client :

(C,S)← (P,P ′)z ←R Zp ; X ← gzMpw ; Z ← X

if πsidP′ 6= ⊥ and πsid

P′ .role 6= client: Y ← πsidP′ .Y ; πsid

P′ .X ← Xelse if role = server :

(C,S)← (P ′,P)z ←R Zp ; Y ← gzNpw ; Z ← Y

if πsidP′ 6= ⊥ and πsid

P′ .role 6= server: X ← πsidP′ .X; πsid

P′ .Y ← Y

πsidP ← (role, z, C,S, X, Y,⊥,⊥, pw ,,⊥, T)

send Z from P to A

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, z, C,S, X, Y, ·, ·, pw , guesses, ·)← πsid

Pif role = client :

Y ← Z∗/Npw ; πsidP .Y ∗ ← Z∗

K ← H(sid , C,S, Z∗, Y, pw , Xz)else if role = server :

X ← Z∗/Mpw ; πsidP .X∗ ← Z∗

K ← H(sid , C,S, X, Z∗, pw , Y z)

πsidP .waiting = F

output K

on H(sid , C,S, X ′, Y ′, pw ,W ) from A:

if TH[sid , C,S, X ′, Y ′, pw ,W ] = ⊥:K ←R {0, 1}κTH[sid , C,S, X ′, Y ′, pw ,W ]← K

send TH[sid , C,S, X ′, Y ′, pw ,W ] to A

Fig. 10. Perfect emulation of real-world interaction, with record keeping and trapdoors (Game 1).

31

Page 32: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Game 2generate CRS

(omitted - identical to previous game)

on (NewSession, sid ,P,P ′,pw , role) from P(omitted - identical to previous game)

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, z, C,S, X, Y, ·, ·, pw , guesses, ·)← πsid

PK ← {0, 1}κif role = client :

Y ← Z∗/Npw ; πsidP .Y ∗ ← Z∗

if Z∗ = Y : jump to end

else: K ← H(sid , C,S, X, Z∗, pw , Y z)else if role = server :

X ← Z∗/Mpw ; πsidP .X∗ ← Z∗

if Z∗ = X: jump to end

else: K ← H(sid , C,S, Z∗, Y, pw , Xz)

end: πsidP .waiting = F

output K

on H(sid , C,S, X ′, Y ′, pw ,W ) from A:

if TH[sid , C,S, X ′, Y ′, pw ,W ] = ⊥:K ←R {0, 1}κ; (x, y)← (⊥,⊥)

if πsidC 6= ⊥: x← πsid

C .expif πsidS 6= ⊥: y ← πsid

S .expif πsidC .X = X ′ and πsid

S .Y = Y ′ and W = gxy: abortTH[sid , C,S, X ′, Y ′, pw ,W ]← K

send TH[sid , C,S, X ′, Y ′, pw ,W ] to A

Fig. 11. Game 2 in SPAKE2 proof.

32

Page 33: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Game 3generate CRS

(omitted - identical to previous game)

on (NewSession, sid ,P,P ′,pw , role) from Pif πsidP 6= ⊥: return ⊥

(X,Y )← (⊥,⊥)if role = client :

(C,S)← (P,P ′)z ←R Zp ; X ←Mz; Z ← X

if πsidP′ 6= ⊥ and πsid

P′ .role 6= client: Y ← πsidP′ .Y ; πsid

P′ .X ← Xelse if role = server :

(C,S)← (P ′,P)z ←R Zp ; Y ← Nz; Z ← Y

if πsidP′ 6= ⊥ and πsid

P′ .role 6= server: X ← πsidP′ .X; πsid

P′ .Y ← Y

πsidP ← (role, z, C,S, X, Y,⊥,⊥, pw ,⊥, T)

send Z from P to A

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, z, C,S, X, Y, ·, ·, pw , guesses, ·)← πsid

PK ← {0, 1}κif role = client :

x = mz −mpw ; πsidP .Y ∗ ← Z∗

if Z∗ = Y : jump to end

else: K ← H(sid , C,S, X, Z∗, pw , Y x)else if role = server :

y = nz − npw ; πsidP .X∗ ← Z∗

if Z∗ = X: jump to end

else: K ← H(sid , C,S, Z∗, Y, pw , X y)

end : πsidP .waiting = F

output K

on H(sid , C,S, X ′, Y ′, pw ,W ) from A:

if TH[sid , C,S, X ′, Y ′, pw ,W ] = ⊥:K ←R {0, 1}κ; (x, y) ← (⊥,⊥)

if πsidC 6= ⊥: x← m · πsid

C .exp−m · pw

if πsidS 6= ⊥: y ← n · πsid

S .exp− n · pw

if πsidC .X = X ′ and πsid

S .Y = Y ′ and W = gxy: abortTH[sid , C,S, X ′, Y ′, pw ,W ]← K

send TH[sid , C,S, X ′, Y ′, pw ,W ] to A

Fig. 12. Game 3 in SPAKE2 proof.

33

Page 34: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Game 4generate CRS

(omitted - identical to previous game)

on (NewSession, sid ,P,P ′,pw , role) from P(parts omitted - identical to previous game)

πsidP ← (role, z, C,S, X, Y,⊥,⊥,⊥,⊥, T)

send Z from P to A

on Z∗ from A as msg to (sid ,P)

if πsidP = ⊥ or πsid

P .waiting = F: return ⊥(role, z, C,S, X, Y, ·, ·,⊥, guesses, ·)← πsid

PK ← {0, 1}κif role = client :

x = mz −mpw ; πsidP .Y ∗ ← Z∗

if Z∗ = Y : jump to end

else: K ← H(sid , C,S, X, Z∗, pw , Y y)else if role = server :

y = nz − npw ; πsidP .X∗ ← Z∗

if Z∗ = X: jump to end

else: K ← H(sid , C,S, Z∗, Y, pw , X y)

if πsidP .guesses[Z∗] = (pw , k∗): K ← k∗

end: πsidP .waiting = F

output K

on H(sid , C,S, X ′, Y ′, pw ,W ) from A:

if TH[sid , C,S, X ′, Y ′, pw ,W ] = ⊥:K ←R {0, 1}κ; (x, y) ← (⊥,⊥)

if πsidC 6= ⊥: x← m · πsid

C .exp−m · pw

if πsidS 6= ⊥: y ← n · πsid

S .exp− n · pw

if πsidC .X = X ′ and πsid

S .Y = Y ′ and W = gxy: abort

else if πsidC .X = X ′ and W = (Y ′/Npw )x :

if Y ′ = πsidC .Y ∗: P ← C; jump to late test pw

else: πsidC .guesses[Y ′]← (pw ,K)

else if πsidS .Y = Y ′ and W = (X ′/Mpw )y:

if X ′ = πsidS .X∗: P ← S; jump to late test pw

else: πsidS .guesses[X ′]← (pw ,K)

jump to end

late test pw: if late test pw has already been called, abort;

else if πsidP .guesses[Z∗] = (pw , k∗): K ← k∗

end: TH[sid , C,S, X ′, Y ′, pw ,W ]← Ksend TH[sid , C,S, X ′, Y ′, pw ,W ] to A

Fig. 13. Game 4 in SPAKE2 proof.

34

Page 35: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 SPAKE2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Perfect Forward Security Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Security with Key Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16A Games and adversaries for the proof of Theorems 6.1 and 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18B Games and adversary for the proof of Theorem 7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1 Overview

In this supplementary material, we provide further security analyses for SPAKE2 [AP05,LK19]. Moreprecisely, we demonstrate that SPAKE2 achieves perfect forward security even without key confirma-tion. Our proof of security is based on the Gap Diffie-Hellman assumption [OP01] in the random-oraclemodel [BR93]. Note that this does not contradict the impossibility result about the perfect forwardsecurity of 2-message key-exchange protocols in in the HMQV [Kra05] paper since the SPAKE2 pro-tocol assumes the pre-existence of secure shared state between parties which is the password itself. Wealso include an analysis of the protocol when key confirmation is added, which yields a better bound.

Finally, our proofs also demonstrate that SPAKE2 is flexible with respect to the generation of itsglobal parameters M and N . This includes the cases where M is a uniform group element and M = Nor the case where M and N are chosen as the output of a random oracle.

2 Preliminaries

Notation. We write x ← y for the action of assigning the value y to the variable x. We writex1, . . . , xn ←$X for sampling x1, . . . , xn from a finite set X uniformly at random. If A is a probabilisticalgorithm we write y1, . . . , yn ← $A(x1, . . . , xn) for the action of running A on inputs x1, . . . , xnwith independently chosen coins, and assigning the result to y1, . . . , yn. ppt as usual abbreviatesprobabilistic polynomial-time. We use notation T [x] to denote access to a dictionary/table T at indexx, and { } to denote the empty table. We abuse notation and use T to also represent the set of assignedindices in table T .

Games. We use the code-based game-playing language [BR04]. Each game has an Initialize anda Finalize procedure. It also has specifications of procedures to respond to an adversary’s variousqueries. A game is run with an adversary A as follows. First Initialize runs and its outputs arepassed to A. Then A runs and its oracle queries are answered by the procedures of the game. WhenA terminates, its output is passed to Finalize which returns the outcome of the game.

3 SPAKE2

Fig. 1 shows a SPAKE2 protocol execution between a user U and a server S.

Page 36: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

2

Client Server

accept← F accept← F

x←$Zq y ←$Zq

X ← gx Y ← gy

X? ← X ·Mpw X ← X? /Mpw

Y ← Y ? /Npw Y ? ← Y ·Npw

K ← H(U, S,X?, Y ?, pw, Y x) K ← H(U, S,X?, Y ?, pw, Xy)

accept← T accept← T

pw ∈ P,M,N ∈ G

U,X?

S, Y ?

Fig. 1. The SPAKE2 protocol [AP05].

4 Security Model

Our proof of security uses the indistinguishability-based model by Bellare, Pointcheval, and Rog-away [BPR00] and its extension to multiple Test queries proposed by Abdalla, Fouque, and Pointcheval(AFP) [AFP05,AFP06]. In the latter, all Test queries are answered with the same challenge bit b.

The security game already instantiated with SPAKE2 can be seen as G1 in Fig. 3. The name spacesfor servers S and users U are assumed to be disjoint; oracles reject queries inconsistent with thesename spaces.

In the following, we describe more precisely the state of a party instance, the notion of partnering,and the freshness condition used in the proof.

Definition 4.1 (Instance state). The state of an instance i at party P , denoted πiP is a tuple ofthe form (e, tr,K, ac) where

– e is the secret exponent (x or y) chosen by the party in that instance– tr is a session trace of the form (U, S,X?, Y ?)– K is the accepted session key– ac is a boolean flag that indicates whether the instance accepted (ac = T) or is expecting a response

(ac = F)

We will use πiP .e, πiP .tr, π

iP .K, πiP .ac to denote the individual components of the state.

Definition 4.2 (Partnering). A server instance πiS and a user instance πjU are partnered iff

πiS .ac = T ∧ πjU .ac = T ∧ πiS .tr = πjU .tr

Two user instances are never partnered. Two server instances are never partnered.

This is a definition in the style of matching-conversations. Note that partnering together with cor-rectness implies that the the associated keys are the same.

Definition 4.3 (Freshness). Instance i at party P is fresh, written Fresh(P, i) if and only if all thefollowing conditions hold:

1. the instance accepted;2. the instance was not queried to Test or Reveal before;

Page 37: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 3

3. At least one of the following conditions holds:

(a) The instance accepted during a query to Execute;(b) There exists more than one partner instance;(c) No partner instance exists and Corrupt(U, S) was not called prior to acceptance;(d) A unique fresh partner instance exists.

5 Assumptions

The perfect forward security of SPAKE2 is based on the difficulty of solving the Computational Diffie-Hellman (CDH) problem by attackers that have access to a Decisional Diffie-Hellman (DDH) oracle.This is usually known as the Gap Diffie-Hellman problem (GCDH) [OP01].

The proof is carried out in the Random-Oracle (RO) model and, to prove perfect forward secret,we need to restrict our attention to algebraic adversaries [FKL18]. Note that the GCDH problem hasbeen shown to be equivalent to the standard discrete logarithm problem (DL) in the Algebraic andGeneric Group models [FKL18, Los19] so, our proof implies reductions to the DL problem in theseidealized models of computation.1

Our proof is structured to highlight which problem an attacker would need to solve to break theprotocol. On the one hand, we give tight reductions to well-known computational assumptions. Onthe other hand, it follows sequence of hops that clarifies how the assumptions map to the generationof SPAKE2 global parameters and runtime operation. We show that, as expected, passive behavior bythe attacker implies that it needs to solve the standard Gap CDH problem to break the establishedsession. Intuitively attackers have access to a DDH oracle by comparing random oracle outputs tothe keys revealed by the game. Active attackers that may try to take advantage of leaked passwordsmust compute the CDH of the global parameters M and N or at least compute the squared versionof this problem CDH(M,M), with the help of a DDH oracle. We show that the protocol is flexiblewith respect to the generation procedure, provided that the previous problem is hard to solve. Thisincludes, in particular, the case where M is a uniform group element and M = N .

To this end, we formalize a family of assumptions parametrized by a distribution D that outputsa pair of elements in Zq, where q is a large prime. The assumptions are stated with respect to a groupG of order q and generator g.

Definition 5.1 (Gap Computational Diffie-Hellman (D-GCDH)). The D-GCDH assumptionstates that, for any ppt adversary A, the following probability is small.

AdvGCDHA := Pr

[Z = gxy : Z ←$ADDH(·,·,·)(gx, gy); x←$Zq; y ←$D(x)

]

The standard GCDH assumption is a particular case when D is the uniform distribution overZq. We denote this by U-GCDH. The Gap Squared Diffie-Hellman (GSqDH) assumption is anotherparticular case, when we restrict the previous case to D outputting x = y. For simplicity, in ouranalysis, we will restrict our attention to global parameter sampling operations where we exclude thepossibility that x = 0 or y = 0. This means that the bound for our proof includes an extra statisticalwhen we remove this restriction (this will be of the form (qs + qe)/q for standard GCDH). We willalso rely on the weaker Gap Discrete Logarithm assumption.

1 There is a subtlety here which further justifies our presentation with gap assumptions. Our proof in thealgebraic model uses the gap oracles on values queried by attackers to a random oracle. As random oracles arean abstraction of local computation, it is perhaps unreasonable to ask that the algebraic adversary providesus with representations of those values. If this is not required from the adversary, then our proof does notnecessarily imply a reduction to DL for algebraic attackers, and we must rely on the gap assumptions. Forthis reason, in our proof we only make explicit use of the algebraic nature of the adversary on messagesthat it explicitly delivers.

Page 38: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

4

Definition 5.2 (Gap Discrete Logarithm (GDL)). The GDL assumption states that, for any pptadversary A, the following probability is small.

AdvGDLA := Pr

[x′ = x : x′ ←$ADDH(·,·,·)(gx); x←$Zq

]

Finally, for the version of our result where we do not rely on the assumption that the adversaryis algebraic, we require the following assumption introduced in [AP05], which we extend to the gapversion.

Definition 5.3 (Gap Discrete Logarithm Password-based Chosen-basis ComputationalDiffie-Hellman assumption (GPCCDH)). The D-GPCCDH assumption states that, for any pptadversary A, the following probability is small.

AdvD-GPCCDHA := Pr

C = CDH(A1/B

pw1 , A2/B

pw2 )

∣∣∣∣∣∣∣∣∣∣

b1 ←$Zq; b2 ←$D(b1)A1 ←$G;B1 ← gb1 ;B2 ← gb2

(A2, st)← AGPCCDH(·,·,·)2 (B1, B2, A1)

pw←$PC ← AGPCCDH(·,·,·)

2 (pw, st)

It was shown in [AP05] that the assumption above without the DDH oracle is implied by thestandard CDH problem. The proof extends naturally to gap versions of the problems, so we have thefollowing.

Lemma 5.4 ([AP05], Lemma 3.4). For all GPCCDH adversaries A there exists an adversary Bsuch that:

2

|P| ≥ AdvD-GPCCDHA ≥ 1

|P| + ε =⇒ AdvD-GCDHB ≥ |P|

128· ε3 .

Here we present the lemma for the version where 1/|P| is large when compared to ε, i.e., we are dealingwith passwords with significantly lower entropy than the security parameter.

In the proof of SPAKE2 with key confirmation, we will assume that the Key Derivation Function(KDF) is a Pseudorandom-Function (PRF). This assumption is implied by the standard notions ofsecurity for KDFs [Kra10].

Definition 5.5 (Pseudorandom Function). A Key Derivation Function KDF with key space K,domain D and range R is PRF-secure if, for any ppt adversary A, the following advantage term issmall.

AdvPRFA :=∣∣∣Pr[b = 1 : b←$AKDF(K,·)( );K ←$K

]− Pr

[b = 1 : b←$AF (·)( ); F ←$F

]∣∣∣

Here F is the set of all functions with domain D and range R.

In our proof, we actually only require a PRF that is pseudorandom for one input per key, and we willdenote this weaker requirement by 1PRF.

Finally, in the proof of SPAKE2 with key confirmation, we require the standard unforgeabilityproperty for a one-time MAC.

Definition 5.6 (One-time MAC security). A MAC scheme with key space K and domain D isone-time unforgeable if, for any ppt adversary A, the following advantage term is small.

Adv1UFA := Pr [ t = MAC(K,m) : (m, t)←$A( );K ←$K ]

Page 39: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 5

6 Perfect Forward Security Proof

Theorem 6.1. SPAKE2 is tightly PFS-secure in the random-oracle model under the Gap SquaredDiffie-Hellman assumption. More precisely, for every algebraic attacker A against SPAKE2, there existattackers B1 and B3 against the Gap Diffie-Hellman problem, attacker B2 against the Gap DiscreteLogarithm problem, and attacker B4 against the Gap Squared Diffie-Hellman problem such that

Advspake2A ( ) ≤ 2qs|P| + AdvU-GCDH

B1( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) + AdvGSqDHB4

( ) +(qs + qe)

2

2q

Here there is an extra qs/|P| term that is a consequence of our game hopping strategy, which hasbeen chosen for clarity by separating the weak forward secrecy property from the strong one thatrelies on algebraic adversaries. Using a different sequence of hops, one can remove the extra term byaggregating the two bad events that give rise to these terms into a single one.

Theorem 6.2. SPAKE2 is PFS-secure in the random-oracle model under the Gap ComputationalDiffie-Hellman assumption. More precisely, for every attacker A against SPAKE2, there exist attackersB1 and B3 against the Gap Diffie-Hellman problem, attacker B2 against the Gap Discrete Logarithmproblem, and attacker B4 against the Gap GPCCDH Diffie-Hellman problem such that

Advspake2A ( ) ≤ qs|P| + AdvU-GCDH

B1( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) + 2qs · AdvGPCCDHB5

( ) +(qs + qe)

2

2q

Note that in the above bound there exists an extra 2qs/|P| within the GPCCDH advantage, sincewe only have guarantees based on GCDH once that advantage term grows above this limit, so thisbound is worse than the one in Theorem 6.1.

We give a joint proof for both theorems, since they only differ in the proof of the last game hop.The code of all games and adversaries is given in Appendix A.

Proof. We prove the security of SPAKE2 using a sequence of games shown in Figs. 3 to 5. In Table 1we give a summary of the meaning of bad events in each game.

Game G1. This is the initial security game, so we have:

Advspake2A ( ) = |Pr[G1 ⇒ T ]− 1/2 |

Game G2. From game G1 to game G2 we introduce a bad flag bad2. The bad2 flag is set whenever

– a session is about to be accepted on the server side that collides on (U, S,X?, Y ?) with anypreviously accepted session;

– a session is about to be accepted on the user side that collides on (U, S,X?, Y ?) with any previouslyaccepted user session.

If bad2 is set, then the oracle call is ignored and the session is not accepted.Note that this implies that all accepted sessions on the server (resp. client) side are unique and

that no session can have more than one partner. The two games are identical until bad occurs, andthis event can be bound by a statistical term. More precisely, for an attacker placing at most qe queriesto Execute and qs queries to the Send oracles, we have for large q denoting the order of the group:

|Pr[G1 ⇒ T ]− Pr[G2 ⇒ T ] | ≤ (qe + qs)2

2q

Here, qe+qs denotes the maximum number of accepted sessions (we count passively partnered sessionsas one here) and this is a birthday bound computed pessimistically for an attacker that makes accepted

Page 40: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

6

sessions collide by fixing the user, server and one of the transmitted group elements in all acceptedsessions.

Game G3. In this game we take advantage of the fact that accepted sessions have unique traces(modulo partnering) to make the freshness condition explicit in the game (we extend the state ofsessions to keep track of freshness with a new field fr). We also remove the code that refers to bad2.Since nothing changes, we have

Pr[G3 ⇒ T ] = Pr[G2 ⇒ T ]

Game G4. In this game we make the keys of sessions accepted as a result of calls to Executeindependent from the random oracle accessible to the attacker. These sessions obtain keys from a newrandom oracle Te that is indexed by the session trace (U, S,X?, Y ?). Note that, due to the guaranteeof session uniqueness on the server and client sides, there is no room for ambiguity. We set a bad flagbad4 if ever the answers given to the attacker could be inconsistent with the previous game: eitherbecause a new accepted session in Execute collides with a previous call to H, or because a new call toH collides with a previously accepted session in Execute. The games are identical until bad occurs,so we have:

|Pr[G3 ⇒ T ]− Pr[G4 ⇒ T ] | ≤ Pr[G4 ⇒ bad4 ]

The probability of bad4 occurring in G4 can be tightly reduced to the standard Gap CDH prob-lem,which means that:

Pr[G4 ⇒ bad4 ] ≤ AdvU-GCDHB1

( )

The reduction to Gap CDH is given in Lemma 6.4.

Game G5. In game G5 we again rearrange code in preparation for the next hop. We remove the codethat deals with bad events, and we change Execute so that nothing depends on passwords. We cando this because the random oracle that generates these keys only depend on the trace, which can besampled independently of passwords. We have

Pr[G5 ⇒ T ] = Pr[G4 ⇒ T ]

Game G6. In this game we change the way in which we generate keys for Send queries. We treatcorrupt sessions, for which the attacker may trivially compute the key, as before. The remaining keysare derived using an independent random oracle Ts. We set a bad flag bad6 if ever there could be aninconsistency with the main random oracle. As before, this means that:

|Pr[G5 ⇒ T ]− Pr[G6 ⇒ T ] | ≤ Pr[G6 ⇒ bad6 ]

We also observe that, since all fresh sessions that can be tested now have keys derived using randomoracles independent from H, accepted keys of fresh sessions are independently distributed from any-thing else in the game. This means that the attacker has no information on bit b and has therefore 0advantage in this game. From the previous equations we can derive that:

Advspake2A ( ) ≤ (qs + qe)2

2q+ AdvU-GCDH

B1( ) + Pr[G6 ⇒ bad6 ]

To bound the probability of bad6 we need to continue our sequence of hops.

Game G7. We modify the way in which X? and Y ? are generated, removing the component thatdepends on the password. The distribution of the X? and Y ? values does not change with respect tothe previous game, but we need to adapt the way in which the Diffie-Hellman tuples are computed, tomake sure we obtain the same values as in the previous game. After we make this change, passwordsassociated with fresh sessions are still (and only) used to check for the bad event bad6. We add aflag bad7 to account for the unlikely case that a password occurring in the game (either queried by

Page 41: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 7

the adversary or sampled by the challenger) collides with the secret exponents used in X? and Y ?

sampled by the challenger. If this happens, we reset bad6 at the end of the game. The probability ofthis event occurring can be easily reduced to the GDL problem, as shown in Lemma 6.5. We thereforehave:

Pr[G6 ⇒ bad6 ] ≤ Pr[G7 ⇒ bad6 ] + AdvGDLB2

( )

Game G8. We now change the checking of bad6 to allow delaying all password samplings as lateas possible in the game: upon corruption or at the end of the game. This means we stop verifyingpassword equality when checking for bad6 in the Send oracles (there is no impact in the random oraclesimulation because the attacker provides the password explicitly there). Without additional changes,we might not be able to tightly relate the probability of bad6 in this new game to its probability in theprevious game, since we have relaxed the check that detects it. We therefore need to add additionalchecks that allow us to continue the proof. There are two important cases to distinguish:

– the attacker causes bad6 for a password that has not been generated yet (this includes all occur-rences in the Send oracles and some in the random oracle simulation).

– the attacker causes bad6 by querying the random oracle on the correct password after the passwordhas been corrupted (intuitively it does not need to guess the password in this case);

For the second case we set a bad flag bad28 and no longer set bad6.For the other cases we add the potentially problematic random oracle entries to a list Tbad, so that

we can delay the analysis of potential inconsistencies until the end of the game. At the end of the gamewe split the checking of bad6 into two cases. We set a bad flag bad18 if in the Tbad log of problematicH calls there are two entries consistent with a single entry in Ts, i.e., with different passwords; in thiscase we no longer set bad6. Finally, we check for bad6 simply by going through the list of problematicentries and checking whether there is a password match.

The combined actions of the three bad flags in this game account for all possible cases in whichbad6 can occur in game G7, so we can write:

Pr[G6 ⇒ bad7 ] ≤ Pr[G8 ⇒ bad6 ] + Pr[G8 ⇒ bad18 ] + Pr[G8 ⇒ bad28 ]

The probability of bad18 occurring in G8 can be tightly reduced to Gap CDH, where we use here thegeneralized version for any parameter distribution D where the CDH problem is hard to compute withthe help of a DDH oracle;2 the reduction is given in Lemma 6.6.

We complete the analysis of this game by further observing that the probability of bad6 happeningis easy to bound. Indeed, the size of the log in which bad6 is checked has size at most qs (since therecan be no duplicates for the same trace) and all entries are added to this set before the correspondingpassword is sampled. We therefore have

Pr[G8 ⇒ bad6 ] ≤ qs|P|

Putting these results together, we obtain:

Pr[G7 ⇒ bad6 ] ≤ Pr[G8 ⇒ bad6 ] + Pr[G8 ⇒ bad18 ] + Pr[G8 ⇒ bad28 ]

≤ qs|P| + AdvD

?-GCDHB3

( ) + Pr[G8 ⇒ bad28 ]

To complete the proof we need to bound the probability of bad28 occurring in G8, and so we continueour sequence of hops.

Game G9. For clarity of presentation, in game G9 we perform a cleanup, removing all code unrelatedto bad28. We also add the possibility that the attacker passes an additional parameter alg when itdelivers a message. This additional parameter is ignored for now, so clearly

2 Note that this does not weaken our result, as one can take D to be the uniform distribution. On the otherhand, it makes it clear that different parameter generation procures can be used and our proof stil applies.

Page 42: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

8

Pr[G8 ⇒ bad28 ] = Pr[G9 ⇒ bad28 ]

To complete the proof for Theorem 6.2 we give in Lemma 6.8 a reduction of the above probabilityto GPCCDH, which yields the desired bound:

Advspake2A ( ) ≤ qs|P| + AdvU-GCDH

B1( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) + 2qs · AdvGPCCDHB5

( ) +(qs + qe)

2

2q

We proceed with a final game hop to complete the proof for Theorem 6.1.

Game G10. This is our final game. Here we restrict our attention to algebraic adversaries. This meansthat, when performing an active attack, the adversary provides an additional input alg to the Sendoracles that gives a representation of the group element it is producing in terms of the other groupelements it observed in the game. These elements include g, M , N and all the honestly generatedX? = Mx and Y ? = Ny. We note that this means that any group element produced by A can berewritten as a representation of the form alg = [(ga), (M b), (N c)].

We now add a bad flag bad10 that excludes some password guessing events related to bad28. Whenthese happen, we no longer set bad28, whereas this would have been set in the previous game. Thismeans that:

Pr[G9 ⇒ bad28 ] ≤ Pr[G10 ⇒ bad28 ] + Pr[G10 ⇒ bad10 ]

Event bad10 is detected whenever a password is sampled at the moment of corruption, and it hits analready fixed representation of a group element produced by the attacker. The offending values areb+λ(c−pw) for group elements delivered at SendTerm and b−pw+λc for group elements deliveredat SendResp. If this event is detected, then we never set bad28, so in this game the analysis of bad28can proceed under the assumption that bad10 did not occur. The probability of this event is easy tobound as

Pr[G10 ⇒ bad10] ≤ qs|P|

The remaining cases where we set bad28 can be reduced to the Gap Squared Diffie-Hellman problem(GSqDH), as shown in Lemma 6.7. This completes the proof and yields the bound.

Advspake2A ( ) ≤ 2qs|P| + AdvU-GCDH

B1( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) + AdvGSqDHB4

( ) +(qs + qe)

2

2q

A different sequence of games permits removing a qs/|P| term, yielding the expected bound for PAKE.ut

Corollary 6.3. SPAKE2 is weak PFS-secure in the random-oracle model under the Gap Computa-tional Diffie-Hellman assumption. More precisely, for every attacker A against SPAKE2, there existattackers B1 and B3 against the Gap Diffie-Hellman problem and attacker B2 against the Gap DiscreteLogarithm problem such that

Advspake2A ( ) ≤ qs|P| + AdvU-GCDH

B1( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) +(qs + qe)

2

2q

Proof. In the weak forward secrecy model, corruption of password pwus makes all fresh session wherethe adversary was active immediately unfresh and, furthermore, corruption is not allowed if such asession was already tested. It is easy to see that a simple adaptation of the previous proof can be donefor this setting, where the probability of event bad28 occurring is 0 and the advantage of the adversaryis still 0: for such cases where the event would occur we simply return Ts[tr] as the answer to theproblematic H query. ut

We now prove the auxiliary lemmas supporting the proofs of Theorems 6.1 and 6.2.

Page 43: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 9

Lemma 6.4. For every attacker A, there exists an attacker B1, such that

Pr[G4 ⇒ bad4 ] ≤ AdvU-GCDHB1

( )

Proof. Let us consider the GCDH attacker B1 in Fig. 6. It gets a generalized challenge of the form(X1, . . . , Xqe , Y1, . . . , Yqe) and finds CDH(Xi, Yj), for some 1 ≤ i, j ≤ qe. This problem is tightlyequivalent to U-GCDH by random self-reducibility. The attacker embeds Xi and Yj in traces forprotocol executions that result from calls to Execute. For all calls to Send oracles, the attacker runseverything as in G4. The DDH oracle is used to check for the bad event, in which case a solution tothe GCDH problem was found. It uses the DDH oracle whenever the rules of the game require it, andit can also use it to check if bad4 occurred, in which case it can solve the Gap CDH challenge.3 ut

Lemma 6.5. For every attacker A, there exists an attacker B2, such that

Pr[G7 ⇒ bad7 ] ≤ AdvGDLB2

( )

Proof. Let us consider a GDL attacker B2 in Fig. 6. It gets a challenge of the form A and findsDL(A). The attacker uses A in Send queries to compute X? = A · g∆ and Y ? = A · g∆. Note thatthe distribution of these values is correct. The checking of CDH tuples, which is needed for correctlymaintaining random-oracle consistency, is carried out using the DDH oracle.

If bad7 occurs, our reduction recovers the discrete logarithm of A offset by a known quantity.Indeed, suppose the attacker guessed pw = x or pw = y in game G7, which means we have X? = gmpw

or Y ? = gnpw. In our reduction we program both X? and Y ? as ga+∆, where a is the unknown discretelogarithm, and we know all of m, pw and ∆. This means that, if the guess was successful, we cancompute the discrete logarithm as a = mpw −∆ or a = npw −∆. ut

Lemma 6.6. For every attacker A, there exists an attacker B3, such that

Pr[G7 ⇒ bad18 ] ≤ AdvD?-GCDHB3

( )

Proof. Let us consider a D?-GCDH attacker B3 in Fig. 6. It gets a challenge of the form (M,N)and finds CDH(M,N). The attacker uses (M,N) as the variables of the same name in game G8. Thechecking of CDH tuples, which is needed for correctly maintaining random-oracle consistency anddetecting bad events, is carried out using the DDH oracle.

Once the game terminates, the attacker checks for the occurrence of bad18 and if offending entriesexist, it recovers (X?, Y ?, pw, Z) and (X?, Y ?, pw′, Z ′) such that pw 6= pw′ and the following holds forknown x or known y, and known pw and pw′:

CDH(gmx/Mpw, gny/Npw) = Z ∧ CDH(gmx/Mpw′ , gny/Npw′) = Z ′

Letting Z = gz, Z ′ = gz′, we can rewrite these equations as

{m(x− pw) · n(y − pw) = zm(x− pw′) · n(y − pw′) = z′

Let us assume that the attacker knows x (the other case is symmetric). We scale the equations andrearrange the formula as follows:

{m(x− pw)(x− pw′) · n(y − pw) = z · (x− pw′)m(x− pw′)(x− pw) · n(y − pw′) = z′ · (x− pw)

3 Note that it actually suffices to have a restricted DDH oracle in which one of the inputs is fixed as in theStrong Diffie-Hellman (SDH) problem [ABR01], so a tight reduction to SDH is also possible. Furthermore,storing all possible values that cause the bad event and returning one at random gives a reduction to CDHthat loses a linear factor in the maximum size of the random-oracle table.

Page 44: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

10

Subtracting the two equations, we get

z(x− pw′)− z′(x− pw) = mn(x− pw)(x− pw′)(pw′ − pw)

And we can derive a formula for the desired CDH:

gmn =(Zx−pw

′ · Z ′pw−x) 1

(x−pw)(x−pw′)(pw′−pw)

This formula can be computed by the attacker, provided that x 6= pw and x 6= pw′, which we know tobe the case as otherwise the bad event would not have occurred due to the action of bad7. utLemma 6.7. For every algebraic attacker A, there exists an attacker B4, such that

Pr[G10 ⇒ bad28 ] ≤ AdvGSqDHB4

( )

Proof. The reduction is given in Fig. 7. In the unlikely event that M = 1 there is nothing to do, asthe problem is trivial to solve. We can also assume that the conditions checked to activate bad7 allfailed, as otherwise bad28 would have been reset. This implies, in particular, that there are no entriesin Ts such that the secret exponent x or y collides with the password pwus.

Given M , the reduction sets N = Mλ, for random non-zero λ, which yields correctly distributedglobal parameters. Similarly to what happened in the proof of Lemma 6.6, we use the DDH oracle toensure the simulation is perfect, so it remains to show that our reduction can compute CDH(M,M)whenever bad28 occurs. There are two cases to consider, depending on whether we are dealing with asession accepted by a user or by a server.

Sessions accepted in SendTerm. We know that the following equation holds.

Z = CDH

(Mx

Mpw,gaM bN c

Npw

)

This can be rewritten as:

Z = CDH(Mx−pw, gaM bN c−pw)⇔ Z

Ma(x−pw) = CDH(Mx−pw,M bN c−pw)

Replacing N = Mλ and rearranging the exponents we get

Z

Ma(x−pw) = CDH(M,M)(x−pw)(b+λ(c−pw))

We can therefore recover the desired SqDH provided that (x−pw)(b+λ(c−pw)) 6= 0. So see that thiscan never happen, note b + λ(c − pw) 6= 0, as otherwise bad10 would have happened and this entrywould not be in the list, and we also excluded x = pw above. This means that we can compute theSqDH.

Sessions accepted in SendResp. In this case we know that the following equation holds.

Z = CDH

(gaM bN c

Mpw,Ny

Npw

)

This can be rewritten as:Z = CDH(gaM b−pwN c, Ny−pw)

Replacing N = Mλ and rearranging the exponents we get

Z = CDH(gaM b−pw+λc,Mλ(y−pw))⇔ Z

Maλ(y−pw) = CDH(M,M)(b−pw+λc)(y−pw)

We can therefore recover the desired SqDH provided that (b− pw + λc)(y − pw) 6= 0. So see that thiscan never happen, note that we know that y − pw 6= 0 and it must be the case that b− pw + λc 6= 0,as otherwise bad210 would have happened and this entry would not be in the list. This means that theSqDH can be computed. ut

Page 45: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 11

Lemma 6.8. For every attacker A, there exists an attacker B5, such that

Pr[G9 ⇒ bad28 ] ≤ 2qs · AdvGPCCDHB5

( )

Proof. The reduction is given in Fig. 7. Our adversary B5 guesses a query in the range [0..qs-1]and chooses a role uniformly at random to guess whether the challenge should be injected on theresponder side or on the initiator side. The behavior conditioned on these guesses is shown in thefigure as two different versions of B5, one for initiator side and another for responder side. Similarlyto what happened in the proof of Lemma 6.6, we use the DDH oracle to ensure the simulation isperfect, and the correct result is produced as long as the guesses are correct. On the initiator side,the reduction is slightly more intricate as one needs to embed A1 in all possible initiator sessions thatmight lead to the bad event. The bound on the theorem follows from the fact that the reduction onlyworks if our attackers guesses are correct. ut

7 Security with Key Confirmation

The result we obtained in the previous section provides guarantees even if the derived secret keys areused before a key confirmation step. However, in most practical settings a key confirmation step existsand, in this case, a much better security bound can be proved. This is what we do in this section. Weshow the modified protocol in Fig. 2. Note that a one-time secure MAC suffices.

Client Server

accept← F accept← F

x←$Zq y ←$Zq

X ← gx Y ← gy

X? ← X ·Mpw X ← X? /Mpw

Y ? ← Y ·Npw

(Ka,Ke)← H(U, S,X?, Y ?, pw, Xy)

(KU,S ,KS,U )← KDF(Ka, const)

Y ← Y ? /Npw tagS,U ← MAC(KS,U , sid)

(Ka,Ke)← H(U, S,X?, Y ?, pw, Y x)

(KU,S ,KS,U )← KDF(Ka, const)

Abort if tagS,U 6= MAC(KS,U , sid)

tagU,S ← MAC(KU,S , sid) Abort if tagU,S 6= MAC(KU,S , sid)

accept← T accept← T

pw ∈ P,M,N ∈ G

U,X?

S, Y ?, tagS,U

tagU,S

Fig. 2. The SPAKE2 protocol [AP05] with key confirmation. Here, const is a fixed point in the domain of theKDF, sid = (U, S,X?, Y ?) and Ke is the accepted session key.

Page 46: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

12

G2 bad2Accepted trace on responder side collides with any previously accepted trace or accepted trace on ini-tiator side collides with trace of any previously accepted initiator session. Bounded by a statistical term.

G4 bad4

Random oracle query consistent with the trace accepted as a result of a query to Execute. Such anevent would allow attacker to detect an inconsistency between the outputs of Test or Reveal and therandom oracle. Bounded by a tight reduction to GCDH.

G6 bad6

Random oracle query consistent with the trace accepted as a result of a query to one of the Sendoracles and declared fresh. Such an event would allow attacker to detect an inconsistency between theoutputs of Test or Reveal and the random oracle. Adversary’s view is independent of b in this game,but bad6 is hard to bound.

G7 bad6The meaning is the same as in the previous game, but it now is only triggered in cases where the otherbad event in this game does not occur.

bad7

Either there is a call to the random oracle with pw = x or pw = y, where x or y is one of the randomvalues sampled in the game. Or a password was sampled by the game that also collides with one ofthese values. Bounded by a tight reduction to GDL.

G8 bad6

The meaning is the same as in the previous games, but it now is only triggered in cases where theother bad event in this game does not occur. At this point this event can only happen for randomoracle queries placed before the associated password was sampled in the game. Furthermore, we knowthere can be at most qs entries, which results in a q/|P| term.

bad18

The attacker made two different random oracle queries consistent with the trace of the same freshsession, i.e. with different passwords, before the corresponding password was sampled. Bounded by atight reduction to GCDH.

bad28

The attacker made a random oracle query consistent with the trace of a fresh session, after thecorresponding password was corrupted and hence sampled by the game. We delay bounding theprobability of this event until game G9 for clarity.

G9 bad28

Same meaning as in the previous game and same probability of occurrence. We fork here the proofsof Theorems 6.1 and 6.2. For the latter we immediately bound the event with a tight reduction toGPCCDH, which yields a loose reduction to GCDH via the splitting lemma of [PS00, AP05]. ForTheorem 6.2 we delay bounding this event until G10.

G10 bad28Same meaning as in the previous game, but now only set when the other bad flag in this game is notset. Bound using a reduction to GSqDH assuming an algebraic adversary.

bad10

The adversary commited to a representation of a group element in a Send query that predicts a passwordsampled later in the game. The probability of this event occurring can be easily bound as qs/|P|.We also note here that the set of traces for which this event needs to be checked is disjoint fromthe set of traces for which bad6 needs to be checked in game G8. This is why the bound we give forTheorem 6.1 can be improved by removing a qe/|P| term using a different sequence of games.

Table 1. Meaning of the bad events in the different games.

Page 47: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 13

Theorem 7.1. SPAKE2 with key confirmation is tightly PFS-secure in the random-oracle model un-der the GCDH assumption. More precisely, for every attacker A against SPAKE2, there exist attackersB6 and B3 against the Gap Diffie-Hellman problem, attacker B2 against the Gap Discrete Logarithmproblem, attacker B7 against the pseudorandomness of KDF and attacker B8 against the unforgeabilityof the MAC scheme such that

Advspake2A ( ) ≤ qs|P|+AdvU-GCDH

B6( )+AdvGDL

B2( )+AdvD

?-GCDHB3

( )+qs·(Adv1PRFB7

( ) + Adv1UFB8( ))

+(qs + qe)

2

2q

Proof. Again we use a sequence of hops, but we explain here only the differences to the proofs in theprevious section. We give the games in Figs. 8 to 10 in Appendix B.

The hops up to game G4 are identical to those for the proofs in the previous section. In game G4, asbefore, we exclude the possibility of the adversary breaking a session where it behaved passively but,in addition to Execute queries, we handle also the sequences of Send queries where the adversaryestablishes sessions with traces (U, S,X?, Y ?) where the messages were generated by the game. Wegive a modified reduction to deal with this case in Lemma 7.3 and note that here the gap oracle is notonly used to detect the correct CDH answer, but to maintain consistency of all other sessions wherethe attacker is active.

We now carry on the the discussion of the following hops in detail from game G6.

Game G6. This game introduces an independent random oracle for keys derived for (possibly aborted)fresh sessions. Flag bad6 corresponds to the attacker observing an inconsistency in the hash queriesfor H. As in the previous proof, we have

Advspake2A ( ) ≤ (qs + qe)2

2q+ AdvU-GCDH

B6( ) + AdvGDL

B2( ) + Pr[G7 ⇒ bad6 ],

where the term corresponding to B6 highlights the fact that the reduction that deals with passivesessions is the one given in Lemma 7.3. Furthermore, as before, the adversary’s view in this game isindependent of the secret bit b and it only remains to bound the probability of bad6 occurring. Let ustake a closer look at game G6 to confirm that this is the case.

First of all, let us confirm that all the session keys corresponding to fresh accepted sessions havebeen moved to an independent random oracle, whereas all revealable (accepted) non-fresh keys havenot. Notice that random oracle queries are added to Ts rather than T in two occasions:

– When a Send query starts a responder session for an uncorrupted password; this session may ormay not turn out to be accepted and, if it is, it may or may not be fresh.

– When a Send query is about to conclude a fresh initiator session (such an entry has not yet beenpreviously added to Ts since we never do this for sessions where the attacker is passive); thissession may or may not be accepted due to MAC verification.

For the latter type of entries, if the MAC verification passes, then the session will be accepted as fresh,so we must ensure that such an entry is never removed from Ts in this case. Removal could only occurin the Corrupt oracle, but here the check performed guarantees that entries are only removed fromTs when no accepted fresh session with that trace exists.

For the first type of entry, we must ensure that the entry is removed from Ts whenever it might beaccepted as unfresh. This is ensured by the corruption oracle: it removes any such entries upon corrup-tion and reprograms the global random oracle with the corresponding key material when corruptionoccurs before any session with that trace is accepted.

Note further that the corrupt oracle also cleans up any entries in Ts corresponding to traces ofpotentially fresh sessions that the attacker failed to conclude before corruption (e.g., by deliveringan inconsistent MAC). This means that, after corruption of pwus, the only entries that remain in Tscorresponding to (U, S) interactions must correspond to at least one fresh accepted session.

Page 48: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

14

Now let us confirm that any inconsistencies detected by the adversary in its queries to the globalrandom oracle (because it has observed in the game the output of the independent random oracle orsome usage of it) are correctly signalled by activating the bad6 flag.

The attacker may observe the action of the independent random oracle via the following oraclequeries:

– Reveal or Test queries to accepted fresh sessions.– MAC values computed using keys derived from entries in Ts rather than the global random oracle.

For all entries added and never removed from Ts, the bad6 flag is activated if a matching entry is everqueried to H in the game. This covers the first class of observations. MAC checks and computationsfor such sessions are handled similarly.

The possibility remains, however, that the attacker might observe a MAC value related to anentry in Ts that is later moved to T . If the query to H that causes the inconsistency comes while theoffending entry is in Ts, then bad6 is activated as before. Otherwise, note that entries moved from Tsto T retain the key material, so subsequent queries to H will actually be consistent.

Game G7. The intuition of this hop is identical to that for game G7 in the proofs of the previoussection: we change the way we generate messages in Send queries and set a bad flag if, due to someunlikely event, one of the random exponents generated by the game to do this occurs as a passwordin the game. This event can be bounded by a reduction to GDL, as shown in Lemma 6.5, so we have:

Advspake2A ( ) ≤ (qs + qe)2

2q+ AdvU-GCDH

B1( ) + AdvGDL

B2( ) + Pr[G7 ⇒ bad6 ]

Game G8. In this game we reject any tags submitted by the attacker to a Send oracle that would resultin a new fresh session being accepted, when it has no information on the corresponding authenticationkey. More in detail:

– If a fresh session is about to be accepted on the initiator side, and there does not exist a matchingsession on the responder side, then the attacker has never observed any computation based on thecorresponding Ts entry.

– If a fresh session is about to be accepted on the responder side, and there does not exist a matchingsession on the initiator side, then the attacker may have observed a MAC computed with KS,U ,but it has no information about KU,S .

Note that, by rejecting these sessions, the attacker can now only complete fresh sessions by behavingpassively.4 We add a bad flag bad8 to deal with cases where the tag would have been accepted in theprevious game and, when this flag is activated, the potentially fresh session is forgotten and removedfrom the independent random oracle. This also means that, in this game, bad6 can now only occurafter corruption for sessions where the attacker behaved passively, which is why we can further restrictthe setting of the bad fact to non-corrupted passwords. To see that this is indeed the case, observethat bad6 happens while entries are in Ts, but in this game we remove from Ts traces correspondingto active behaviour before the corresponding password is corrupted (as otherwise these sessions wouldnot lead to fresh sessions anyway).

The probability of bad8 occurring can be bounded using the PRF property of KDF and the standard(one-time) unforgeability of the MAC scheme. A formal proof is given in Lemma 7.4. Therefore wehave

Pr[G7 ⇒ bad6 ] ≤ Pr[G8 ⇒ bad6 ] + qs ·(Adv1PRFB7

( ) + Adv1UFB8( ))

Game G9. In this game we introduce changes similar to those we introduced in G8 of the proofs ofTheorems 6.1 and 6.2 in moving all password-related checks to the end of the game. However, unlike

4 Forging MACs that result the same trace being accepted as in passive behaviour is not considered an activeattack. This maps to the standard existential unforgeability notion.

Page 49: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 15

in the previous section, we can now move all occurrences of bad6 to the end, since we handled theproblematic queries placed after corruption in the previous game hops. We move checks to the endby introducing a Tbad list, and a final bad event bad9 for executions where the attacker is able toconstruct two different consistent entries in this list for the same trace and different passwords.

Analysis of bad9 and bad6 in game G9 are identical to the analyses of bad6 and bad18 in game G8

of the proofs in the previous section: bad6 is the probability of passwords guessing, whereas bad10 canbe reduced to GCDH as proved in Lemma 6.6. We therefore have

Pr[G8 ⇒ bad6 ] ≤ Pr[G9 ⇒ bad6 ] + Pr[G9 ⇒ bad9 ] ≤ qe|P| + AdvGCDH

B3( )

This concludes the proof. ut

The above proof also establishes that SPAKE2 with key confirmation provides explicit authenti-cation defined formally as:

– if a client U accepts a session with server S, then S has a pending unique session where it hasderived the same key and session identifier (U, S,X?, Y ?);

– if a server S accepts a session with client U , then U has already accepted a unique session withthe same key and session identifier (U, S,X?, Y ?).

We state this as the following corollary, which shows that impersonation can only be achieved withnegligible probability beyond guessing the password.

Corollary 7.2. SPAKE2 with key confirmation provides explicit authentication.

Proof. The proof follows the same sequence of hops as that of Theorem 7.1. We can observe that inthe final game a session is accepted only if the adversary behaved passively, which means that explicitauthentication is guaranteed with the same bound. More precisely, the attacker can break explicitauthentication with probability at most

qs|P| + AdvU-GCDH

B6( ) + AdvGDL

B2( ) + AdvD

?-GCDHB3

( ) + qs ·(Adv1PRFB7

( ) + Adv1UFB8( ))

+(qs + qe)

2

2q

ut

Remark. We note that the proof strategy we use here for dealing with sessions where the attackerbehaves passively actually shows that SPAKE2 is secure in a stronger model where the adversarydoes not have access to the Execute oracle and can instead adaptively decide how to orchestrate abounded number of qe passive attacks concurrently with a bounded number of qs active attacks. Forthis, the use of the gap oracle is essential in the proof step that handles passive attacks. The strategywe used in the previous section does not use this strategy for clarity, but the same observations apply.

Lemma 7.3. For every attacker A, there exists an attacker B6, such that

Pr[G4 ⇒ bad4 ] ≤ AdvU-GCDHB6

( )

Proof. Let us consider the GCDH attacker B6 in Fig. 11. It gets a generalized challenge of the form(X1, . . . , Xqe+qs , Y1, . . . , Yqe+qs) and finds CDH(Xi, Yj), for some 1 ≤ i, j ≤ qe. This problem is tightlyequivalent to U-GCDH by random self-reducibility. The attacker embeds Xkx and Yky in all game-generated X? and Y ?, which means that it cannot compute the CDH for any session. However, itcan use the DDH oracle to check when H queries for a given group element Z match traces whereCDH(X,Y ) = Z. Additionally, the DDH oracle is used to check for the bad event, in which case asolution to the GCDH problem was found. ut

Page 50: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

16

Lemma 7.4. For every attacker A, there exist attackers B7 and B8, such that

Pr[G8 ⇒ bad8 ] ≤ qs ·(Adv1PRFB7

( ) + Adv1UFB8( ))

Proof. Consider the modified version of game G8 we present in Figure 11 (game Gc8′) and let usconsider for now the behaviour of this game when c = F. In this case, the only difference betweenthe two games is that game GF

8′ only sets bad8 in one special `-th query to Send, while the originalversion of G8 might set the flag in many Send queries. However, this special query is chosen uniformlyat random and is outside of the adversary’s view, so it must be the case that, conditioning on theprobability that the randomly chosen ` correctly guesses the query that causes the first occurrence ofbad8 in game G8, the probability of bad8 occurring in the two games is the same. This implies,

Pr[G8 ⇒ bad8 ] = Pr[GF8′ ⇒ bad8 |` is correct] ≤ qs Pr[GF

8′ ⇒ bad8 ]

We can now focus on game G8′ . Observe that parameter c = T replaces the keys produced by theKDF with random ones for the `-th query. This means that it is easy to construct an attacker B 7 suchthat

Adv1PRFB7( ) =

∣∣Pr[GF8′ ⇒ bad8 ]− Pr[GT

8′ ⇒ bad8 ]∣∣

We omit the details of this reduction. At this point, it suffices to bound the probability of bad8 in gameGT8′ . We do this via a direct reduction to the one-time unforgeability property of the MAC scheme.

This is shown in Figure 11 as attacker B8. Again the reduction is simple: for the critical `-th query, theattacker fixes the authentication key that causes bad8 implicitly as the external MAC key for which itis trying to forge. When bad8 occurs, it returns the offending trace and authenticator as a forgery. ut

8 Implications

Nothing-up-your-sleeve global parameters. Our security proof applies without change to anydistribution of the global parameters (M,N) under which computing the CDH between the two withthe help of a DDH oracle is assumed to be hard. This means that simply sampling (M,N) uniformlyat random is a good choice when the GCDH assumption holds, and so is choosing M = H(K) andN = H(K ′) when H is modeled as a random oracle. Here the choice of K 6= K ′ means one is relyingon the standard GCDH assumption, whereas K = K ′ leads to M = N , which means relying on thesquared GCDH problem.

Removing the global parameters. Our proof extends to a variant of SPAKE2 where (M,N)are not generated in a global setup. Instead one can use (M,N) = H(U, S) and N = H(S,U), wheredifferent values of these parameters are precomputed for each user-server pair. The online efficiencyof the protocol is not affected. Modeling H as a random oracle, this means that each (U, S) pair nowposes an independent GCDH challenge to the active attacker. Our proof can be easily modified tocover this case with the same bound by observing that bad events that involve multiple sessions arealways defined between sessions established for the same user-server (U, S).

Reusing passwords. Our model assumes that user passwords are sampled independently for eachpair (U, S). The simple case of password reuse, where passwords are either repeats or they are sampledindependently can be easily addressed by extending the corrupt oracle to exclude additional trivialattacks: it should declare as corrupt all (U ′, S′) pairs that use the same password. The same proofapplies and the bound is not affected in this case, as the entropy of non-repeat passwords is assumedto be unaffected.

The treatment of more complex distributions follows in the same lines as described in [KOY09,Section 2.2.1].

Page 51: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 17

References

ABR01. M. Abdalla, M. Bellare, and P. Rogaway. The oracle Diffie-Hellman assumptions and an analysis ofDHIES. In CT-RSA 2001, LNCS 2020, pages 143–158. Springer, Heidelberg, April 2001.

AFP05. M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-based authenticated key exchange in thethree-party setting. In PKC 2005, LNCS 3386, pages 65–84. Springer, Heidelberg, January 2005.

AFP06. M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-based authenticated key exchange in thethree-party setting. IEE Proceedings — Information Security, 153(1):27–39, March 2006.

AP05. M. Abdalla and D. Pointcheval. Simple password-based encrypted key exchange protocols. In CT-RSA 2005, LNCS 3376, pages 191–208. Springer, Heidelberg, February 2005.

BPR00. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionaryattacks. In EUROCRYPT 2000, LNCS 1807, pages 139–155. Springer, Heidelberg, May 2000.

BR93. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient proto-cols. In ACM CCS 93, pages 62–73. ACM Press, November 1993.

BR04. M. Bellare and P. Rogaway. Code-based game-playing proofs and the security of triple encryption.Cryptology ePrint Archive, Report 2004/331, 2004. http://eprint.iacr.org/2004/331.

FKL18. G. Fuchsbauer, E. Kiltz, and J. Loss. The algebraic group model and its applications. InCRYPTO 2018, Part II, LNCS 10992, pages 33–62. Springer, Heidelberg, August 2018.

KOY09. J. Katz, R. Ostrovsky, and M. Yung. Efficient and secure authenticated key exchange using weakpasswords. J. ACM, 57(1):3:1–3:39, 2009.

Kra05. H. Krawczyk. HMQV: A high-performance secure Diffie-Hellman protocol. In CRYPTO 2005, LNCS3621, pages 546–566. Springer, Heidelberg, August 2005.

Kra10. H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In CRYPTO 2010,LNCS 6223, pages 631–648. Springer, Heidelberg, August 2010.

LK19. W. Ladd and B. Kaduk. SPAKE2, a PAKE. Internet-Draft draft-irtf-cfrg-spake2-09, IRTF, October2019.

Los19. J. Loss. New techniques for the modular analysis of digital signature schemes. PhD Thesis, Ruhr-Universitat Bochum, Universitatsbibliothek, 2019.

OP01. T. Okamoto and D. Pointcheval. The gap-problems: A new class of problems for the security ofcryptographic schemes. In PKC 2001, LNCS 1992, pages 104–118. Springer, Heidelberg, February2001.

PS00. D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journalof Cryptology, 13(3):361–396, June 2000.

Page 52: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

18

A Games and adversaries for the proof of Theorems 6.1 and 6.2

Page 53: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 19

proc Initialize( ) G1, G2b ←$ {0, 1}; C ← {}; T ← {}; bad2 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

bad2 = T; Return ⊥X ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

πiS ← (y, (U, S,X?, Y ?), K, T)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

bad2 = T; Return ⊥Y ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

πiU ← (x, (U, S,X?, Y ?), K, T)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

bad2 = T; Return ⊥K ← H(U, S,X?, Y ?, pwus, X

y)

πiU ← (x, (U, S,X?, Y ?), K, T)

πiS ← (y, (U, S,X?, Y ?), K, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥

Return πiP .K

proc Test(P, i)

If Fresh(πiP ) = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

proc Initialize( ) G3b ←$ {0, 1}; C ← {}; T ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CX ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ← H(U, S,X?, Y ?, pwus, X

y)

πiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

proc Initialize( ) G4b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }; Te ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; bad4 ← FReturn (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CX ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥If (U, S,X?, Y ?, pwus, Y

x) ∈ T do bad4 ← TTe ← Te ∪ {(U, S,X?, Y ?, pwus, Y x)}K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If ∃(U, S,X?, Y ?, pwus, Z) ∈ Te do bad4 ← TIf T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

Fig. 3. Security proof for SPAKE2. Games 1 to 4.

Page 54: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

20

proc Initialize( ) G5b ←$ {0, 1}; C ← {}; T ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ C

X ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ C

Y ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return K

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)

Return b = b′

proc Initialize( ) G6b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }; Ts ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; bad6 ← FReturn (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

ElseIf ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw

If Z = Xy do bad6 ← TK ←$K

Ts[U, S,X?, Y ?] ← (S, y,K)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frY ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

Else If (U, S,X?, Y ?) ∈ Ts(S, y,K) ← Ts[U, S,X

?, Y ?]Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw

If Z = Y x do bad6 ← TK ←$K

Ts[U, S,X?, Y ?] ← (U, x,K)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; Z′ ← Xy

If Z′ = Z do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)

Return b = b′

proc Initialize( ) G7b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; bad6 ← F; bad7 ← FReturn (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; y ← ny − npwusK ← H(U, S,X?, Y ?, pwus, X

y)Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw; y ← ny − npw

If Z = Xy do bad6 ← TK ←$KTs[U, S,X

?, Y ?] ← (S, y,K)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frY ← Y ? /Npwus ; x ← mx −mpwusK ← H(U, S,X?, Y ?, pwus, Y

x)Else If (U, S,X?, Y ?) ∈ Ts

(S, y,K) ← Ts[U, S,X?, Y ?]

ElseIf ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do bad6 ← TK ←$KTs[U, S,X

?, Y ?] ← (U, x,K)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← my − npw; Z′ ← Xy

If Z′ = Z do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)If ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← TIf bad7 = T do bad6 ← F

Return b = b′

Fig. 4. Security proof for SPAKE2. Games 5 to 7.

Page 55: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 21

proc Initialize( ) G8b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad6 ← F; bad7 ← F; Tbad ← {}; bad18 ← F; bad28 ← F

m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; y ← ny − npwusK ← H(U, S,X?, Y ?, pwus, X

y)Else

For all (U, S,X?, Y ?, pw, Z) ∈ TX ← X? /Mpw; y ← ny − npw

If Z = Xy do Tbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}K ←$KTs[U, S,X

?, Y ?] ← (S, y,K)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frY ← Y ? /Npwus ; x ← mx −mpwusK ← H(U, S,X?, Y ?, pwus, Y

x)Else If (U, S,X?, Y ?) ∈ Ts

(S, y,K) ← Ts[U, S,X?, Y ?]

ElseFor all (U, S,X?, Y ?, pw, Z) ∈ TY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do Tbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}K ←$KTs[U, S,X

?, Y ?] ← (U, x,K)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← my − npw; Z′ ← Xy

If Z′ = Z:

If (U, S) ∈ C ∧ pw = pwus do bad28 ← T

If (U, S) /∈ C do Tbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$PReturn pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← TIf bad7 = F

If ∃pw 6= pw′,(U, S,X?, Y ?, pw, Z) ∈ Tbad ∧(U, S,X?, Y ?, pw′, Z′) ∈ Tbad do bad18 ← T

ElseIf (U, S, ?, ?, pwus, ?) ∈ Tbad do bad6 ← T

Else bad28 ← F

Return b = b′

proc Initialize( ) G9b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad7 ← F; bad28 ← F

m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?, alg)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; y ← ny − npwusK ← H(U, S,X?, Y ?, pwus, X

y)Else

K ←$KIf ∃(U, S, ?, ?, y, ?) ∈ T do bad7 ← TTs[U, S,X

?, Y ?] ← (S, y,K, alg)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?, alg)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frY ← Y ? /Npwus ; x ← mx −mpwusK ← H(U, S,X?, Y ?, pwus, Y

x)Else If (U, S,X?, Y ?) ∈ Ts

(S, y,K, alg′) ← Ts[U, S,X?, Y ?]

Else

K ←$KTs[U, S,X

?, Y ?] ← (U, x,K, alg)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K, alg)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K, alg)

X ← X? /Mpw; y ← my − npw; Z′ ← Xy

If Z′ = Z:

If (U, S) ∈ C ∧ pw = pwus do bad28 ← T

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$PReturn pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← T

If bad7 = F do bad28 ← F

Return b = b′

proc Initialize( ) G10b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

bad7 ← F; bad28 ← F; bad10 ← F; λ ← n/m

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?, alg)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; y ← ny − npwusK ← H(U, S,X?, Y ?, pwus, X

y)ElseK ←$KTs[U, S,X

?, Y ?] ← (S, y,K, alg)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?, alg)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frY ← Y ? /Npwus ; x ← mx −mpwusK ← H(U, S,X?, Y ?, pwus, Y

x)Else If (U, S,X?, Y ?) ∈ Ts

(S, y,K, alg) ← Ts[U, S,X?, Y ?]

ElseK ←$KTs[U, S,X

?, Y ?] ← (U, x,K, alg)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K, alg)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K, alg)

X ← X? /Mpw; y ← my − npw; Z′ ← Xy

If Z′ = Z ∧ bad10 = F:

If (U, S) ∈ C ∧ pw = pwus do bad28 ← T

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$PFor all (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K, alg)

Rewrite alg = [(g, a), (M, b), (N, c)]If b − pwus + λc = 0 do bad10 ← T

If Ts[U, S,X?, Y ?] = (S, y,K, alg)

Rewrite alg = [(g, ?), (M, b), (N, ?)]If b + λ(c − pwus) = 0 do bad10 ← T

Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← T

If bad7 = F do bad28 ← F

Return b = b′

Fig. 5. Security proof for SPAKE2. Games 8 to 10.

Page 56: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

22

Adversary B1

proc Initialize(X1, . . . , Xqe , Y1, . . . , Yqe )

b ←$ {0, 1}; C ← {}; T ← {}; Te ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }k ← 0Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CX ← X? /Mpwus

K ← H(U, S,X?, Y ?, pwus, Xy)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ? /Npwus

K ← H(U, S,X?, Y ?, pwus, Yx)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

k ← k + 1X? ← Xk ·Mpwus

Y ? ← Yk · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥If (U, S,X?, Y ?, pwus, Z) ∈ T

If DDH(Xk, Yk, Z) = Tcall Finalize(Z); stop

Te ← Te ∪ {(U, S,X?, Y ?, pwus, k)}K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If ∃(U, S,X?, Y ?, pwus, k) ∈ TeIf DDH(Xk, Yk, Z) = T

call Finalize(Z); stopIf T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Stop.

Adversary B2

proc Initialize(A)

b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← A · g∆πiU ← (∆, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← A · g∆

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElseK ←$KTs[U, S,X

?, Y ?] ← (S,∆,K)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (∆, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse If (U, S,X?, Y ?) ∈ Ts

(S,∆,K) ← Ts[U, S,X?, Y ?]

ElseK ←$KTs[U, S,X

?, Y ?] ← (U,∆,K)

πiU ← (∆, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr; Return ⊥

K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf ∃(U, S,X?, Y ?, pw, (X, Y )) ∈ T s.t. DDH(X, Y, Z) = T

Return T [U, S,X?, Y ?, pw, Z]T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$P; Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)If ∃U S, Ts[U, S, ?, Y ?] = (S,∆, ?) ∧ Y ? = gnpwus

call Finalize(npwus −∆)If ∃U S, Ts[U, S,X?, ?] = (U,∆, ?) ∧ X? = gmpwus

call Finalize(mpwus −∆)If ∃ pw, (?, ?, ?, ?, pw, ?) ∈ T∧Ts[?, ?, ?, Y ?] = (S,∆, ?) ∧ Y ? = gnpw

call Finalize(npw −∆)If ∃ pw, (?, ?, ?, ?, pw, ?) ∈ T∧Ts[?, ?,X?, ?] = (U,∆, ?) ∧ X? = gmpw

call Finalize(mpw −∆)Stop.

Adversary B3

proc Initialize(M,N)

b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }Tbad ← {}; bad7 ← FReturn (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse

For all (U, S,X?, Y ?, pw, Z) ∈ TX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = TTbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}

K ←$KTs[U, S,X

?, Y ?] ← (S, y,K)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse If (U, S,X?, Y ?) ∈ Ts

(S, y,K) ← Ts[U, S,X?, Y ?]

ElseFor all (U, S,X?, Y ?, pw, Z) ∈ TX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = TTbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}

K ←$KTs[U, S,X

?, Y ?] ← (U, x,K)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr; Return ⊥

K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ TsX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = TIf (U, S) ∈ C ∧ pw = pwus then SkipIf (U, S) /∈ C do Tbad ← Tbad ∪ {U, S,X?, Y ?, pw, Z}

If ∃(U, S,X?, Y ?, pw, (X, Y ) ∈ T s.t. DDH(X, Y, Z) = TReturn T [U, S,X?, Y ?, pw, (X, Y )]

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$P; Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T do bad7 ← TIf bad7 = F

If ∃pw 6= pw′,(U, S,X?, Y ?, pw, Z) ∈ Tbad ∧(U, S,X?, Y ?, pw′, Z′) ∈ Tbadu ← ((x − pw)(x − pw′)(pw′ − pw))−1

call Finalize((Zx−pw′ · Z′pw−x)u)Stop.

Fig. 6. Security proof for SPAKE2. GCDH and GDL attackers.

Page 57: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 23

B Games and adversary for the proof of Theorem 7.1

Page 58: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

24

Adversary B4

proc Initialize(M)

b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad7 ← F; bad10 ← F

m ←$ Zq ; n ←$D?(m); λ ← n/m; N ← Mλ

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?, alg)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElseK ←$KTs[U, S,X

?, Y ?] ← (S, y,K, alg)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

Return (S, Y ?)

proc SendTerm(U, i, S, Y ?, alg)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse If (U, S,X?, Y ?) ∈ Ts

(S, y,K, alg′) ← Ts[U, S,X?, Y ?]

ElseK ←$KTs[U, S,X

?, Y ?] ← (U, x,K, alg)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

Return T

proc Exec(U, S, i, j)

Unchanged

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ TsX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = T ∧ (U, S) ∈ C ∧ pw = pwus ∧ bad10 = FCall Finalize(CDH(M,M))

If ∃(U, S,X?, Y ?, pw, (X, Y ) ∈ T s.t. DDH(X, Y, Z) = TReturn T [U, S,X?, Y ?, pw, (X, Y )]

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}; pwus ←$PFor all (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K, alg)

Rewrite alg = [(g, a), (M, b), (N, c)]If b − pwus + λc = 0 do bad10 = T

If Ts[U, S,X?, Y ?] = (S, y,K, alg)

Rewrite alg = [(g, a), (M, b), (N, c)]If b + λ(c − pwus) = 0 do bad10 = T

Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← TStop.

Adversary BF,i5

proc Initialize(B1, B2, A1)

b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad7 ← FM ← B1; N ← B2; k ← 0; tr ←⊥Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← A1 · gxπiU ← (x, (U, S,X?,⊥),⊥, F, F)k ← k + 1; Return (U,X?)

proc SendResp(S, i, U,X?, alg)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElseK ←$KTs[U, S,X

?, Y ?] ← (S, y,K, alg)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

k ← k + 1; Return (S, Y ?)

proc SendTerm(U, i, S, Y ?, alg)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse If (U, S,X?, Y ?) ∈ Ts

(S, y,K, alg′) ← Ts[U, S,X?, Y ?]

ElseIf k = i

tr ← (U, S,X?, Y ?)Output Y ? to get pwU,S

K ←$KTs[U, S,X

?, Y ?] ← (U, x,K, alg)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

k ← k + 1; Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ TsX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = T ∧ (U, S) ∈ C ∧ pw = pwusIf tr 6= (U, S,X?, Y ?) do Abort

Else Get x from Ts; Output Z/Mx−pwus

If ∃(U, S,X?, Y ?, pw, (X, Y ) ∈ T s.t. DDH(X, Y, Z) = TReturn T [U, S,X?, Y ?, pw, (X, Y )]

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}If tr 6= (U, S, ?, ?) do pwus ←$PReturn pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← TStop.

Adversary BT,i5

proc Initialize(B1, B2, A1)

b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad7 ← FM ← B2; N ← B1; k ← 0; tr ←⊥Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)k ← k + 1; Return (U,X?)

proc SendResp(S, i, U,X?, alg)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse

If k = iY ? ← A1; tr ← (U, S,X?, Y ?)Output X? to get pwU,S

K ←$KTs[U, S,X

?, Y ?] ← (S, y,K, alg)

πiS ← (y, (U, S,X?, Y ?), K, T, fr)

k ← k + 1; Return (S, Y ?)

proc SendTerm(U, i, S, Y ?, alg)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ¬frX ← X? /Mpwus ; Y ← Y ? /Npwus

If ∃(U, S,X?, Y ?, pwus, Z) ∈ T s.t. DDH(X, Y, Z) = TK ← T [U, S,X?, Y ?, pwus, Z]

Else K ←$K; T [U, S,X?, Y ?, pwus, (X, Y )] ← KElse If (U, S,X?, Y ?) ∈ Ts

(S, y,K, alg′) ← Ts[U, S,X?, Y ?]

ElseK ←$KTs[U, S,X

?, Y ?] ← (U, x,K, alg)

πiU ← (x, (U, S,X?, Y ?), K, T, fr)

k ← k + 1; Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥K ←←$KπiU ← (x, (U, S,X?, Y ?), K, T, T)

πiS ← (y, (U, S,X?, Y ?), K, T, T)

Return (U,X?, S, Y ?)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ TsX ← X? /Mpw; Y ← Y ? /Npw

If DDH(X, Y, Z) = T ∧ (U, S) ∈ C ∧ pw = pwusIf tr 6= (U, S,X?, Y ?) do AbortElse Output Z

If ∃(U, S,X?, Y ?, pw, (X, Y ) ∈ T s.t. DDH(X, Y, Z) = TReturn T [U, S,X?, Y ?, pw, (X, Y )]

T [U, S,X?, Y ?, pw, Z] ←$KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}If tr 6= (U, S, ?, ?) do pwus ←$PReturn pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T

bad7 ← TStop.

Fig. 7. Security proof for SPAKE2. Algebraic reduction to GCDH and alternative reduction to GPCCDH.

Page 59: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 25

proc Initialize( ) G1, G2b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }For U ∈ U, S ∈ S do pwus ←$P; bad2 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

bad2 = T; Return ⊥X ← X? /Mpwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

bad2 = T; Return ⊥

Y ← Y ? /Npwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Yx)

(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F) Return ⊥

(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

bad2 = T; Return ⊥

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag1 ← MAC(KU,S, (U, S,X?, Y ?))

tag2 ← MAC(KS,U , (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T)

πiS ← (y, (U, S,X?, Y ?), Ke, T)

Return (U,X?, S, Y ?, tag1, tag2)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥

Return πiP .K

proc Test(P, i)

If Fresh(πiP ) = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

proc Initialize( ) G3b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }For U ∈ U, S ∈ S do pwus ←$Pm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥X ← X? /Mpwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ? /Npwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Yx)

(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag1 ← MAC(KU,S, (U, S,X?, Y ?))

tag2 ← MAC(KS,U , (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T, T)

πiS ← (y, (U, S,X?, Y ?), Ke, T, T)

Return (U,X?, S, Y ?, tag1, tag2)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

proc Initialize( ) G4b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }For U ∈ U, S ∈ S do pwus ←$P; bad4 ← F; Tp ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥X ← X? /Mpwus

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)If (U, S,X?, Y ?, pwus, Y

x) ∈ T do bad4 ← T(Ka,Ke) ←$K × KTp[U, S,X

?, Y ?, pwus, Yx] = (Ka,Ke)

Else (Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ? /Npwus

If ∃j, πjS

= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← Tp[U, S,X?, Y ?, pwus, Y

x]

Else (Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx ·Mpwus

y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥If (U, S,X?, Y ?, pwus, Y

x) ∈ T do bad4 ← TTp ← Tp ∪ {(U, S,X?, Y ?, pwus, Y x)}(Ka,Ke) ←$K × K(KU,S,KS,U ) ← KDF(Ka, const)

tag1 ← MAC(KU,S, (U, S,X?, Y ?))

tag2 ← MAC(KS,U , (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T, T)

πiS ← (y, (U, S,X?, Y ?), Ke, T, T)

Return (U,X?, S, Y ?, tag1, tag2)

proc H(U, S,X?, Y ?, pw, Z)

If ∃(U, S,X?, Y ?, pwus, Z) ∈ Tp do bad4 ← TIf T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

Fig. 8. Security proof for SPAKE2 with confirmation. Games 1 to 4.

Page 60: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

26

proc Initialize( ) G5b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }For U ∈ U, S ∈ S do pwus ←$Pm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

ElseX ← X? /Mpwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

ElseY ← Y ? /Npwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

x ←$ Zq ; X? ← gx

y ←$ Zq ; Y ? ← gy

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥(Ka,Ke) ←$K × K(KU,S,KS,U ) ← KDF(Ka, const)

tag1 ← MAC(KU,S, (U, S,X?, Y ?))

tag2 ← MAC(KS,U , (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T, T)

πiS ← (y, (U, S,X?, Y ?), Ke, T, T)

Return (U,X?, S, Y ?, tag1, tag2)

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}Return pwus

proc Reveal(P, i)

If πiP .ac 6= T ∨ (P, i) ∈ Tst Return ⊥∀(j, Q) s.t. π

jQ.tr = πiP .tr do π

jQ.fr = F

Return πiP .K

proc Test(P, i)

If πiP .fr = F Return ⊥K0 ← Reveal(P, i); K1 ←$KTst ← Tst ∪ (P, i); Return Kb

proc Finalize(b′)Return b = b′

proc Initialize( ) G6b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }; Ts ← {}For U ∈ U, S ∈ S do pwus ←$P; bad6 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← gx ·Mpwus

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← gy · Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

Else If (U, S) ∈ CX ← X? /Mpwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Xy)

ElseIf ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw

If Z = Xy do bad6 ← T(Ka,Ke) ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus

(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Yx)

Else (cannot be in Ts)If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw

If Z = Y x do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; Z′ ← Xy

If Z′ = Z do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}For all (U, S,X?, Y ?) ∈ Ts

If @ j P, πjP.tr = (U, S,X?, Y ?) ∧ π

jP.ac = T

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npwus ; Z ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpwus ; Z ← Xy

T [U, S,X?, Y ?, pwus, Z] ← (Ka,Ke)Ts[U, S,X

?, Y ?] ←⊥Return pwus

proc Finalize(b′)

Return b = b′

procs Exec, Reveal, Test unchanged

proc Initialize( ) G7b ←$ {0, 1}; C ← {}; T ← {}; Tst = { }; Ts ← {}For U ∈ U, S ∈ S do pwus ←$P; bad6 ← F; bad7 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

Else If (U, S) ∈ CX ← X? /Mpwus ; y ← ny − npwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, X

y)Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw; y ← ny − npw

If Z = Xy do bad6 ← T(Ka,Ke) ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus ; x ← mx −mpwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Y

x)Else (cannot be in Ts)

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← ny − npw; Z′ ← Xy

If Z′ = Z do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Corrupt(U, S)

C ← C ∪ {(U, S)}For all (U, S,X?, Y ?) ∈ Ts

If @ j P, πjP.tr = (U, S,X?, Y ?) ∧ π

jP.ac = T

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npwus ; x ← mx −mpw; Z ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpwus ; y ← ny − npw; Z ← Xy

T [U, S,X?, Y ?, pwus, Z] ← (Ka,Ke)Ts[U, S,X

?, Y ?] ←⊥Return pwus

proc Finalize(b′)If ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T do bad7 ← TIf bad7 = T do bad6 ← F

Return b = b′

procs Exec, Reveal, Test unchanged

Fig. 9. Security proof for SPAKE2 with confirmation. Games 5 to 7.

Page 61: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

Supplementary Material: Game-based Proofs for SPAKE2 27

proc Initialize( ) G8b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }For U ∈ U, S ∈ S do pwus ←$P; bad6 ← F; bad7 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn; bad8 ← F

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

Else If (U, S) ∈ CX ← X? /Mpwus ; y ← ny − npwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, X

y)Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw; y ← ny − npw

If Z = Xy do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus ; x ← mx −mpwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Y

x)Else (cannot be in Ts)

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥If fr ∧ @j, (U, S,X?, Y ?) = π

jS.tr (implies (U, S) /∈ C)

bad8 ← T; Ts[U, S,X?, Y ?] ←⊥; πiU ← aborted; Return ⊥

πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥If fr ∧ @j, (U, S,X?, Y ?) = π

jU.tr (implies (U, S) /∈ C)

bad8 ← T; Ts[U, S,X?, Y ?] ←⊥; πiS ← aborted; Return ⊥

πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← ny − npw; Z′ ← Xy

If Z′ = Z ∧ (U, S) /∈ C do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Finalize(b′)If ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T do bad7 ← TIf bad7 = T do bad6 ← F

Return b = b′

procs Exec, Reveal, Test, Corrupt unchanged

proc Initialize( ) G9b ←$ {0, 1}; C ← {}; T ← {}; Ts ← {}; Tst = { }bad6 ← F; bad7 ← F; bad9; Tbad ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

Else If (U, S) ∈ CX ← X? /Mpwus ; y ← ny − npwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, X

y)Else

For all (U, S,X?, Y ?, pw, Z) ∈ TX ← X? /Mpw; y ← ny − npw

If Z = Xy do Tbad ← Tbad ∪ {(U, S,X?, Y ?, pw, Z)}Ka ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus ; x ← mx −mpwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Y

x)Else (cannot be in Ts)

For all (U, S,X?, Y ?, pw, Z) ∈ TY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do Tbad ← Tbad ∪ {(U, S,X?, Y ?, pw, Z)}Ka ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥If fr ∧ @j, (U, S,X?, Y ?) = π

jS.tr (implies (U, S) /∈ C)

Ts[U, S,X?, Y ?] ←⊥; πiU ← aborted; Return ⊥

πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥If fr ∧ @j, (U, S,X?, Y ?) = π

jU.tr (implies (U, S) /∈ C)

Ts[U, S,X?, Y ?] ←⊥; πiS ← aborted; Return ⊥

πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← ny − npw; Z′ ← Xy

If Z′ = Z ∧ (U, S) /∈ CTbad ← Tbad ∪ {(U, S,X?, Y ?, pw, Z)}

T [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Finalize(b′)For (U, S) ∈ (U × S) \ C do pwus ←$PIf ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T do bad7 ← TIf bad7 = F

If ∃pw 6= pw′,(U, S,X?, Y ?, pw, Z) ∈ Tbad ∧(U, S,X?, Y ?, pw′, Z′) ∈ Tbad do bad9 ← T

ElseIf (U, S, ?, ?, pwus, ?) ∈ Tbad do bad6 ← T

Return b = b′

procs Exec, Reveal, Test, Corrupt unchanged

Fig. 10. Security proof for SPAKE2 with confirmation. Games 8 to 9.

Page 62: Universally Composable Relaxed Password Authenticated Key ... · Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree

28

Adversary B6

proc Initialize(X1, . . . , Xqe+qs, Y1, . . . , Yqe+qs

)

b ←$ {0, 1}; C ← {}; T ← {}; Tp ← {}m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn

For U ∈ U, S ∈ S do pwus ←$P; Tst = { }kx, ky ← 1Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥X? ← Xkx

·Mpwus

πiU ← (kx, (U, S,X?,⊥),⊥, F, F); kx ← kx + 1

Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥Y ? ← Yky

· Npwus

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥X ← X? /Mpwus ; Y ← Y ?/Npwus

If ∃j, πjU

= (kx, (U, S,X?,⊥),⊥, F, F)

If (U, S,X?, Y ?, pwus, Z) ∈ T ∧ DDH(X, Y, Z) = TCall Terminate(X, Y, Z)

(Ka,Ke) ←$K × KTp[U, S,X

?, Y ?, pwus, (X, Y )] = (Ka,Ke)

Else (Ka,Ke) ← H(U, S,X?, Y ?, pwus, (X, Y ))(KU,S,KS,U ) ← KDF(Ka, const)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (ky, (U, S,X?, Y ?), (Ka,Ke), F, F); ky ← ky + 1

Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (kx, (U, S,X?,⊥),⊥, F, F) Return ⊥

If ∃P ∈ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CY ← Y ?/Npwus ; X ← X? /Mpwus

If ∃j, πjS

= (ky, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← Tp[U, S,X?, Y ?, pwus, (X, Y )]

Else (Ka,Ke) ← H(U, S,X?, Y ?, pwus, (X, Y ))(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

Return T

proc Exec(U, S, i, j)

If πiU 6=⊥ ∨πjS6=⊥ Return ⊥

X? ← kx ·Mpwus ; kx ← kx + 1Y ? ← ky · Npwus ; ky ← ky + 1

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr

Return ⊥If (U, S,X?, Y ?, pwus, Z) ∈ T ∧ DDH(X, Y, Z) = T

Call Terminate(X, Y, Z)Tp ← Tp ∪ {(U, S,X?, Y ?, pwus, (X, Y ))}(Ka,Ke) ←$K × K(KU,S,KS,U ) ← KDF(Ka, const)

tag1 ← MAC(KU,S, (U, S,X?, Y ?))

tag2 ← MAC(KS,U , (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T, T)

πiS ← (y, (U, S,X?, Y ?), Ke, T, T)

Return (U,X?, S, Y ?, tag1, tag2)

proc H(U, S,X?, Y ?, pw, Z)

If ∃(U, S,X?, Y ?, pwus, (X, Y )) ∈ Tp ∧ DDH(X, Y, Z) = TCall Terminate(X, Y, Z)

If (U, S,X?, Y ?, pwus, (X, Y )) ∈ T ∧ DDH(X, Y, Z) = TReturn T [U, S,X?, Y ?, pwus, (X, Y )]If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Finalize(b′)Return b = b′

procs Reveal, Test, Corrupt unchanged

proc Initialize( ) Gc8′

b ←$ {0, 1}; C, T, Ts, Tst ← {}; ` ←$ {0..qs − 1}; k ← 0For U ∈ U, S ∈ S do pwus ←$P; bad6 ← F; bad7 ← F; tr` ←⊥m ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn; bad8 ← F

Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)k ← k + 1; Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

Else If (U, S) ∈ CX ← X? /Mpwus ; y ← ny − npwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, X

y)Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw; y ← ny − npw

If Z = Xy do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If k = ` do tr` ← (U, S,X?, Y ?)If k = ` ∧ c = T do (KU,S,KS,U ) ←$K × Ktag ← MAC(KS,U , (U, S,X

?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

k ← k + 1; Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus ; x ← mx −mpwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Y

x)Else (cannot be in Ts)

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If k = ` ∧ c = T do (KU,S,KS,U ) ←$K × KIf tag 6= MAC(KS,U , (U, S,X

?, Y ?))

πiU ← aborted; Return ⊥If k = ` ∧ fr ∧ @j, (U, S,X?, Y ?) = π

jS.tr

bad8 ← T; Ts[U, S,X?, Y ?] ←⊥; πiU ← aborted; Return ⊥

πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

k ← k + 1; Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥If triS = tr` ∧ fr ∧ @j, (U, S,X?, Y ?) = π

jU.tr

bad8 ← T; Ts[U, S,X?, Y ?] ←⊥; πiS ← aborted; Return ⊥

πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

k ← k + 1; Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← ny − npw; Z′ ← Xy

If Z′ = Z ∧ (U, S) /∈ C do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Finalize(b′)If ∃U S, (?, pwus, ?) ∈ Ts do bad7 ← TIf ∃ pw, (?, pw, ?) ∈ Ts ∧ (?, ?, ?, ?, pw, ?) ∈ T do bad7 ← TIf bad7 = T do bad6 ← F

Return b = b′

procs Exec, Reveal, Test, Corrupt unchanged

Adversary B8

proc Initialize( )

b ←$ {0, 1}; C ← {}; T, Ts, Tst = { }; ` ←$ {0..qs − 1}For U ∈ U, S ∈ S do pwus ←$P; bad6 ← F; bad7 ← Fm ←$ Z?q ; n ←$D?(m); M ← gm; N ← gn; k ← 0; tr` =⊥Return (M,N)

proc SendInit(U, i, S)

If πiU 6=⊥ Return ⊥x ←$ Zq ; X? ← Mx

πiU ← (x, (U, S,X?,⊥),⊥, F, F)k ← k + 1; Return (U,X?)

proc SendResp(S, i, U,X?)

If πiS 6=⊥ Return ⊥y ←$ Zq ; Y ? ← Ny

If ∃P ∈ S ∪ U, (U, S,X?, Y ?) = πjP.tr Return ⊥

If ∃j, πjU

= (x, (U, S,X?,⊥),⊥, F, F)(Ka,Ke) ←$K × K

If (U, S) ∈ CX ← X? /Mpwus ; y ← ny − npwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, X

y)Else

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusX ← X? /Mpw; y ← ny − npw

If Z = Xy do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (S, y, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If k = ` do tr` ← (U, S,X?, Y ?)If k = ` do KS,U ←$K (KU,S is the external MAC key)

tag ← MAC(KS,U , (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

k ← k + 1; Return (S, Y ?, tag)

proc SendTermInit(U, i, S, Y ?, tag)

If πiU 6= (x, (U, S,X?,⊥),⊥, F, F) Return ⊥If ∃P ∈ U, (U, S,X?, Y ?) = π

jP.tr Return ⊥

fr ← ∃j, (U, S,X?, Y ?) = πjS.tr ∧ πj

S.fr = T

fr ← fr ∨ (U, S) /∈ CIf ∃j, πj

S= (y, (U, S,X?, Y ?), (Ka,Ke), F, F)

(Ka,Ke) ← πjS.K

Else If ¬frY ← Y ? /Npwus ; x ← mx −mpwus(Ka,Ke) ← H(U, S,X?, Y ?, pwus, Y

x)Else (cannot be in Ts)

If ∃(U, S,X?, Y ?, pw, Z) ∈ T ∧ pw = pwusY ← Y ? /Npw; x ← mx −mpw

If Z = Y x do bad6 ← TKa ×Ke ←$K × KTs[U, S,X

?, Y ?] ← (U, x, (Ka,Ke))(KU,S,KS,U ) ← KDF(Ka, const)

If k = ` do KU,S ←$K (KS,U is the external MAC key)

If k 6= ` ∧ tag 6= MAC(KS,U , (U, S,X?, Y ?))

πiU ← aborted; Return ⊥If k = ` ∧ fr ∧ @j, (U, S,X?, Y ?) = π

jS.tr

Call Terminate(tag, (U, S,X?, Y ?))

πiU ← (x, (U, S,X?, Y ?), Ke, T, fr)

tag ← MAC(KU,S, (U, S,X?, Y ?))

k ← k + 1; Return tag

proc SendTermResp(S, i, U, tag)

If πiS 6= (y, (U, S,X?, Y ?), (Ka,Ke), F, F) Return ⊥fr ← ∃j, (U, S,X?, Y ?) = π

jU.tr ∧ πj

U.fr = T

fr ← fr ∨ (U, S) /∈ C(KU,S,KS,U ) ← KDF(Ka, const)

If triS 6= tr` ∧ tag 6= MAC(KU,S, (U, S,X?, Y ?))

πiS ← aborted; Return ⊥If triS = tr` ∧ fr ∧ @j, (U, S,X?, Y ?) = π

jU.tr

Call Terminate(tag, (U, S,X?, Y ?))

πiS ← (y, (U, S,X?, Y ?), Ke, T, fr)

k ← k + 1; Return T

proc H(U, S,X?, Y ?, pw, Z)

If T [U, S,X?, Y ?, pw, Z] = K 6=⊥ Return KIf (U, S,X?, Y ?) ∈ Ts ∧ pw = pwus

If Ts[U, S,X?, Y ?] = (U, x,K)

Y ← Y ? /Npw; x ← mx −mpw; Z′ ← Y x

If Ts[U, S,X?, Y ?] = (S, y,K)

X ← X? /Mpw; y ← ny − npw; Z′ ← Xy

If Z′ = Z ∧ (U, S) /∈ C do bad6 ← TT [U, S,X?, Y ?, pw, Z] ←$K × KReturn T [U, S,X?, Y ?, pw, Z]

proc Finalize(b′)Stop.

procs Exec, Reveal, Test, Corrupt unchanged

Fig. 11. Security proof for SPAKE2 with confirmation. Query guess game and adversaries.